• Noah Misch's avatar
    Document security implications of search_path and the public schema. · 5770172c
    Noah Misch authored
    The ability to create like-named objects in different schemas opens up
    the potential for users to change the behavior of other users' queries,
    maliciously or accidentally.  When you connect to a PostgreSQL server,
    you should remove from your search_path any schema for which a user
    other than yourself or superusers holds the CREATE privilege.  If you do
    not, other users holding CREATE privilege can redefine the behavior of
    your commands, causing them to perform arbitrary SQL statements under
    your identity.  "SET search_path = ..." and "SELECT
    pg_catalog.set_config(...)" are not vulnerable to such hijacking, so one
    can use either as the first command of a session.  As special
    exceptions, the following client applications behave as documented
    regardless of search_path settings and schema privileges: clusterdb
    createdb createlang createuser dropdb droplang dropuser ecpg (not
    programs it generates) initdb oid2name pg_archivecleanup pg_basebackup
    pg_config pg_controldata pg_ctl pg_dump pg_dumpall pg_isready
    pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_standby
    pg_test_fsync pg_test_timing pg_upgrade pg_waldump reindexdb vacuumdb
    vacuumlo.  Not included are core client programs that run user-specified
    SQL commands, namely psql and pgbench.  PostgreSQL encourages non-core
    client applications to do likewise.
    
    Document this in the context of libpq connections, psql connections,
    dblink connections, ECPG connections, extension packaging, and schema
    usage patterns.  The principal defense for applications is "SELECT
    pg_catalog.set_config('search_path', '', false)", and the principal
    defense for databases is "REVOKE CREATE ON SCHEMA public FROM PUBLIC".
    Either one is sufficient to prevent attack.  After a REVOKE, consider
    auditing the public schema for objects named like pg_catalog objects.
    
    Authors of SECURITY DEFINER functions use some of the same defenses, and
    the CREATE FUNCTION reference page already covered them thoroughly.
    This is a good opportunity to audit SECURITY DEFINER functions for
    robust security practice.
    
    Back-patch to 9.3 (all supported versions).
    
    Reviewed by Michael Paquier and Jonathan S. Katz.  Reported by Arseniy
    Sharoglazov.
    
    Security: CVE-2018-1058
    5770172c
contrib.sgml 6.44 KB