Changes between Initial Version and Version 1 of Ticket #5165, comment 2
- Timestamp:
- 06/08/22 10:53:29 (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #5165, comment 2
initial v1 7 7 The danger for ALTER EXTENSION here is if a regular untrusted user knows a function exists in postgis in a newer version not yet installed. They go create a function with that signature with the future expectation that postgis will be upgraded. Then when ALTER EXTENSION UPDATE is done, our function would now make a function they own be part of postgis, and they could then change that function putting malicious things in there. If a super user then runs this coopted function, they could accidentally elevate the privileges of said user (cause it would be running under super user rights). 8 8 9 In practice people can easily avoid this by preventing untrusted users from creating things in a schema where postgis is installed. We could also force ownership of all postgis packaged functions at end to be owned by the person running create extension. I think the force is not a good idea because I suspect DbaaS are looking for that kind of stuff and would treat it as a threat and bale out. It probably would be seen as such too by many vulnerability scanners. So our attempt to mitigate such a thing would look like we're trying cause such a thing to happen.9 In practice people can easily avoid this by preventing untrusted users from creating things in a schema where postgis is installed. We could also force ownership of all postgis packaged functions at end to be owned by the person running ALTER EXTENSION. I think the force is not a good idea because I suspect DbaaS are looking for that kind of stuff and would treat it as a threat and bale out. It probably would be seen as such too by many vulnerability scanners. So our attempt to mitigate such a thing would look like we're trying cause such a thing to happen.
