Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[doc]: revoke public message #553

Closed
pmpetit opened this issue Dec 11, 2022 · 1 comment · Fixed by #572
Closed

[doc]: revoke public message #553

pmpetit opened this issue Dec 11, 2022 · 1 comment · Fixed by #572
Assignees
@pashagolub
Labels
help wanted metric-helpers

Comments

@pmpetit
Copy link
Contributor

pmpetit commented Dec 11, 2022
edited

Hello,
everywhere in your security definer function, we can see:

execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;

i'm not sure it is a good explaination, should we replace this sentence with

execute 'REVOKE CREATE ON SCHEMA public FROM PUBLIC' to tighten security or comment out the DO block to disable the check$$;

let's do an example

create database mydb;
\c mydb
create schema myschema;

then execute your fn used to check for unsecured schema

DO $SQL$
    DECLARE
        l_secure_schemas_from_search_path text;
    BEGIN
        SELECT string_agg(safe_sp, ', ' ORDER BY rank) INTO l_secure_schemas_from_search_path FROM (
           SELECT quote_ident(nspname) AS safe_sp, rank
           FROM unnest(regexp_split_to_array(current_setting('search_path'), ',')) WITH ORDINALITY AS csp(schema_name, rank)
                    JOIN pg_namespace n
                         ON quote_ident(n.nspname) = CASE WHEN schema_name = '"$user"' THEN quote_ident(user) ELSE trim(schema_name) END
           WHERE NOT has_schema_privilege('public', n.oid, 'CREATE')
        ) x;

        IF coalesce(l_secure_schemas_from_search_path, '') = '' THEN
            RAISE NOTICE 'search_path = %', current_setting('search_path');
            RAISE EXCEPTION $$get_stat_statements() SECURITY DEFINER helper will not be created as all schemas on search_path are unsecured where all users can create objects -
              execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;to tighten security or comment out the DO block to disable the check$$;
        ELSE
            RAISE NOTICE '%', format($$ALTER FUNCTION get_stat_statements() SET search_path TO %s$$, l_secure_schemas_from_search_path);
            EXECUTE format($$ALTER FUNCTION get_stat_statements() SET search_path TO %s$$, l_secure_schemas_from_search_path);
        END IF;
    END;
$SQL$;

even if you

REVOKE CREATE ON SCHEMA myschema FROM public;
REVOKE CREATE ON SCHEMA myschema FROM PUBLIC;

you will face the warning. The only way to create the helpers fn is to execute

REVOKE CREATE ON SCHEMA public FROM PUBLIC

that's why i think the message

execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;

is not appropriate.

as describe here https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/
why don't you set search_path at the beginning of the helpers functions ?
@pashagolub
Copy link
Collaborator

Would you please provide a pull request to address this issue?

Thanks a lot!

@pashagolub pashagolub self-assigned this Dec 14, 2022
@pmpetit pmpetit mentioned this issue Dec 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pashagolub pashagolub

Labels
help wanted metric-helpers
Projects
pgwatch2
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[*] change output message in helpers functions, closes #553 pmpetit/pgwatch2
2 participants
@pmpetit @pashagolub