On 03/12/2014 11:40 AM, Tom Lane wrote:
> Andrew Dunstan <andrew@dunslane.net> writes:
>> On 03/12/2014 02:09 PM, Josh Berkus wrote:
>>> Well, if you really want my "I want a pony" list:
>>>
>>> Local superusers (maybe this concept needs another name) would be able
>>> to do the following things in a *single* database:
>>>
>>> 1 change permissions for other users on that database and its objects
>>> 2 load extensions from a predefined .so directory / list
>>> 3 create/modify untrusted language functions
>>> 4 create per-database users and change their settings
>>> 5 change database settings (SET stuff)
>>> 6 NOT change their own user settings
>>> 7 NOT change any global users
>>> 8 NOT run SET PERSISTENT or other commands with global effect
>
>> Item 3 gives away the store.
>
> Indeed. If you can do (3), you can break out of any of the other
> constraints. I suspect even (1) and/or (5) would be enough to mount
> trojan-horse attacks against real superusers who visit your database.
... nobody reads my whole post, except Stephen. :-(
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com