Participants
Tom Lane
Tom Lane
Bruce Momjian
Bruce Momjian
Zeugswetter Andreas SB
Zeugswetter Andreas SB
Attachments

No attachments in this thread

Thread Outline
#1Tom LaneTom Lane
Dec 22, 2000
#2Bruce MomjianBruce Momjianto Tom Lane (#1)
Dec 22, 2000
#3Zeugswetter Andreas SBZeugswetter Andreas SBto Bruce Momjian (#2)
Dec 27, 2000

Inheritance is a security loophole!

Started by Tom Laneabout 25 years ago3 messages
#1Tom Lane
Tom Lane
tgl@sss.pgh.pa.us

The lack of a permissions check for creating a child table means that
in current sources, any user can inject data of his choosing into
another user's tables. Example:

User A:

regression=> create table foo (f1 text);
CREATE
regression=> insert into foo values ('good data');
INSERT 271570 1

User B:

regression=> create table foohack () inherits (foo);
CREATE
regression=> insert into foohack values ('you have been hacked!');
INSERT 271598 1

Now User A sees:

regression=> select * from foo;
f1
-----------------------
good data
you have been hacked!
(2 rows)

User A can only avoid this trap by being very careful to specify ONLY
in every query. If he *intends* to use foo as an inheritance tree
master, then that cure doesn't work either.

Just to add insult to injury, user A is now unable to drop table foo.
He'll also get permission failures from commands like "UPDATE foo ..."

I suppose a proper fix would involve adding a new permission type "can
make child tables", but I don't want to mess with that at the moment.
For 7.1, I propose that we only allow creation of child tables to the
owner of the parent table.

Comments?

regards, tom lane

PS: another interesting problem: create a temp table, then create a
non-temp table that inherits from it. Unhappiness ensues when you
end your session. Need to prohibit this combination, I think.

#2Bruce Momjian
Bruce Momjian
pgman@candle.pha.pa.us
In reply to: Tom Lane (#1)
Re: Inheritance is a security loophole!

I suppose a proper fix would involve adding a new permission type "can
make child tables", but I don't want to mess with that at the moment.
For 7.1, I propose that we only allow creation of child tables to the
owner of the parent table.

I see no reason people would be inheriting from other people's tables.
Let's disable it.

PS: another interesting problem: create a temp table, then create a
non-temp table that inherits from it. Unhappiness ensues when you
end your session. Need to prohibit this combination, I think.

Clear example where mixing features causes strange behavour. Part of
the UNION/TEMPORARY/subquery/aggregate/inheritance/rule/view/array mix.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
#3Zeugswetter Andreas SB
Zeugswetter Andreas SB
ZeugswetterA@wien.spardat.at
In reply to: Bruce Momjian (#2)
AW: Inheritance is a security loophole!

For 7.1, I propose that we only allow creation of child tables to the
owner of the parent table.

Or dba. Sounds reasonable, maybe even sufficient to me.

(Informix has a separate right (called under) to grant inheritability to others
(just to support your separate right point).)

Andreas

Import Notes
Resolved by subject fallback
← Back to Topics