Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 20 Apr 2023 18:29:10 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: PostgreSQL and CREATEROLE permission

On Thu, Apr 20, 2023 at 3:39 PM Bernd Zeimetz <bernd@...d.de> wrote:
>
> > This information showed up on the pgsql-general mailing list at [1].
> > It appears a user with CREATEROLE can elevate to root through
> > pg_execute_server_program.[2]
>
> really root? As I understand it you gain access to the DB superuser (usually
> the postgres user) only. Although I could imagine that you could trick
> careless admins into giving you root permissions on that way...

I hope I did not misparse things when I sent the email. My apologies if I did.

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.