LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A PostgreSQL flaw

A PostgreSQL flaw

Posted Feb 23, 2007 23:32 UTC (Fri) by intgr (subscriber, #39733)
In reply to: A PostgreSQL flaw by dw
Parent article: A PostgreSQL flaw

No -- Mallory needs access to existing SECURITY DEFINER functions defined by a higher-privilege user. Mallory can only create his own functions, but that way he'll only be able to impersonate himself.

(Log in to post comments)

A PostgreSQL flaw

Posted Feb 26, 2007 21:15 UTC (Mon) by schabi (subscriber, #14079) [Link]

That's not correct. He needs to define his own function or operator that shadows a function or operator used by the privileged function (by having the same name and signature), then arrange the search path so that his function is found first, and then call the privileged function.

In most cases, it even suffices that he creates the function or operator in his own schema, as - by default - that schema precedes the ones that define the built-in operators and functions.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds