Skip to content
This repository was archived by the owner on Dec 17, 2024. It is now read-only.
This repository was archived by the owner on Dec 17, 2024. It is now read-only.

[doc]: revoke public message #553

Closed
#572
Closed
[doc]: revoke public message#553
#572
Assignees
pashagolub
Labels
help wantedmetric-helpers
@pmpetit

Description

@pmpetit
pmpetit
opened on Dec 11, 2022

Hello,
everywhere in your security definer function, we can see:

execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;

i'm not sure it is a good explaination, should we replace this sentence with

execute 'REVOKE CREATE ON SCHEMA public FROM PUBLIC' to tighten security or comment out the DO block to disable the check$$;

let's do an example

create database mydb;
\c mydb
create schema myschema;

then execute your fn used to check for unsecured schema

DO $SQL$
    DECLARE
        l_secure_schemas_from_search_path text;
    BEGIN
        SELECT string_agg(safe_sp, ', ' ORDER BY rank) INTO l_secure_schemas_from_search_path FROM (
           SELECT quote_ident(nspname) AS safe_sp, rank
           FROM unnest(regexp_split_to_array(current_setting('search_path'), ',')) WITH ORDINALITY AS csp(schema_name, rank)
                    JOIN pg_namespace n
                         ON quote_ident(n.nspname) = CASE WHEN schema_name = '"$user"' THEN quote_ident(user) ELSE trim(schema_name) END
           WHERE NOT has_schema_privilege('public', n.oid, 'CREATE')
        ) x;

        IF coalesce(l_secure_schemas_from_search_path, '') = '' THEN
            RAISE NOTICE 'search_path = %', current_setting('search_path');
            RAISE EXCEPTION $$get_stat_statements() SECURITY DEFINER helper will not be created as all schemas on search_path are unsecured where all users can create objects -
              execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;to tighten security or comment out the DO block to disable the check$$;
        ELSE
            RAISE NOTICE '%', format($$ALTER FUNCTION get_stat_statements() SET search_path TO %s$$, l_secure_schemas_from_search_path);
            EXECUTE format($$ALTER FUNCTION get_stat_statements() SET search_path TO %s$$, l_secure_schemas_from_search_path);
        END IF;
    END;
$SQL$;

even if you

REVOKE CREATE ON SCHEMA myschema FROM public;
REVOKE CREATE ON SCHEMA myschema FROM PUBLIC;

you will face the warning. The only way to create the helpers fn is to execute

REVOKE CREATE ON SCHEMA public FROM PUBLIC

that's why i think the message

execute 'REVOKE CREATE ON SCHEMA $my_schema FROM public' to tighten security or comment out the DO block to disable the check$$;

is not appropriate.

as describe here https://www.cybertec-postgresql.com/en/abusing-security-definer-functions/
why don't you set search_path at the beginning of the helpers functions ?

Metadata

Metadata

Assignees

Labels

help wantedmetric-helpers

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions