Participants
jian he
jian he
Kirill Reshke
Kirill Reshke
Tom Lane
Tom Lane
Nathan Bossart
Nathan Bossart
Michael Paquier
Michael Paquier
Attachments
Download Latest Patchset
+11-7
Show all attachments
Thread Outline
#1jian hejian he
Oct 14, 2025
#2Kirill ReshkeKirill Reshketo jian he (#1)
Oct 14, 2025
#3Tom LaneTom Laneto Kirill Reshke (#2)
Oct 14, 2025
#4Nathan BossartNathan Bossartto Tom Lane (#3)
Oct 14, 2025
#5Michael PaquierMichael Paquierto Nathan Bossart (#4)
Oct 15, 2025

pageinspect some function no need superuser priv

Started by jian he6 months ago5 messageshackers
Jump to latest
#1jian he
jian he
jian.universality@gmail.com

hi.

just came to my mind.

If you're the table owner, you should be allowed to use get_raw_page (and other
pageinspect module functions)?
We can use RangeVarGetRelidExtended with
RangeVarCallbackOwnsRelation to perform the ownership check.

Attached is a draft POC.
Am I missing anything obvious?

Attachments:

page_inspect_owner_can_query.difftext/x-patch; charset=US-ASCII; name=page_inspect_owner_can_query.diffDownload+11-7
#2Kirill Reshke
Kirill Reshke
reshkekirill@gmail.com
In reply to: jian he (#1)
Re: pageinspect some function no need superuser priv

On Tue, 14 Oct 2025, 18:27 jian he, <jian.universality@gmail.com> wrote:

hi.

just came to my mind.

If you're the table owner, you should be allowed to use get_raw_page (and
other
pageinspect module functions)?
We can use RangeVarGetRelidExtended with
RangeVarCallbackOwnsRelation to perform the ownership check.

Attached is a draft POC.
Am I missing anything obvious?

Hi!
I was also wondering if there is any security vulnerability with that.
I was thinking about page lsn, checkpoint and wal compression as a possible
way to abuse, but did not managed to came up with exploit

Show quoted text
#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Kirill Reshke (#2)
Re: pageinspect some function no need superuser priv

Kirill Reshke <reshkekirill@gmail.com> writes:

On Tue, 14 Oct 2025, 18:27 jian he, <jian.universality@gmail.com> wrote:

If you're the table owner, you should be allowed to use get_raw_page (and
other pageinspect module functions)?

I was also wondering if there is any security vulnerability with that.
I was thinking about page lsn, checkpoint and wal compression as a possible
way to abuse, but did not managed to came up with exploit

Yeah, I do not think it follows that being table owner should
entitle you to such low-level access. I'm inclined to reject
this proposal.

regards, tom lane

#4Nathan Bossart
Nathan Bossart
nathandbossart@gmail.com
In reply to: Tom Lane (#3)
Re: pageinspect some function no need superuser priv

On Tue, Oct 14, 2025 at 10:29:39AM -0400, Tom Lane wrote:

Yeah, I do not think it follows that being table owner should
entitle you to such low-level access. I'm inclined to reject
this proposal.

-1 here, too. IMHO all of pageinspect should remain superuser-only since
it is meant for development/debugging. The proposal doesn't describe a
use-case for the relaxed privileges, either.

--
nathan

#5Michael Paquier
Michael Paquier
michael@paquier.xyz
In reply to: Nathan Bossart (#4)
Re: pageinspect some function no need superuser priv

On Tue, Oct 14, 2025 at 10:51:51AM -0500, Nathan Bossart wrote:

On Tue, Oct 14, 2025 at 10:29:39AM -0400, Tom Lane wrote:

Yeah, I do not think it follows that being table owner should
entitle you to such low-level access. I'm inclined to reject
this proposal.

-1 here, too. IMHO all of pageinspect should remain superuser-only since
it is meant for development/debugging. The proposal doesn't describe a
use-case for the relaxed privileges, either.

Same. We've always wanted this module to be superuser-only, with
superuser hardcoded checks and not even execution ACLs.
--
Michael

← Back to Topics