Postgres: Abusing Security Definer Functions

The example would be even better if it used the built in functions to correctly escape and cast input types.<p>CREATE FUNCTION public.realplusplus(integer) RETURNS integer LANGUAGE sql SECURITY DEFINER SET search_path = pg_catalog AS &#x27;RETURN EXECUTE format(&#x27;&#x27;SELECT %L + 1&#x27;&#x27;, $1)&#x27;;<p>However the search path limitation is still required due to the ability to over-ride basic operators; something that I consider an anti-feature from a security standpoint since it does not LOOK to the casual observer that an overridable function exists.<p><a href="https:&#x2F;&#x2F;www.postgresql.org&#x2F;docs&#x2F;9.6&#x2F;functions-string.html#FUNCTIONS-STRING-FORMAT" rel="nofollow">https:&#x2F;&#x2F;www.postgresql.org&#x2F;docs&#x2F;9.6&#x2F;functions-string.html#FU...</a>

Interesting, this sounds very much like SUID binaries in Unixes.<p>People want them, but there are so many things to worry about -- LD_PRELOAD, PATH, untrusted input, file open races.<p>I am surprised that postgres is still vulnerable to to those things. I&#x27;d think it is natural that those scripts should ignore &quot;search path&quot;, just like Perl requires user-specified PATH in the taint mode, or how Linux SUID binaries ignore LD_PRELOAD variable.

This reminds me of the LD_PRELOAD security measure [1]. However the solution there, to always set it to a sane default, appears superior. Can&#x27;t you set the search path for SECURITY DEFINER to a saner default unless specified?<p>[1] <a href="https:&#x2F;&#x2F;manpages.debian.org&#x2F;wheezy&#x2F;manpages&#x2F;ld-linux.so.8.en.html" rel="nofollow">https:&#x2F;&#x2F;manpages.debian.org&#x2F;wheezy&#x2F;manpages&#x2F;ld-linux.so.8.en...</a><p><pre><code> LD_PRELOAD A whitespace-separated list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to selectively override functions in other shared libraries. For setuid&#x2F;setgid ELF binaries, only libraries in the standard search directories that are also setgid will be loaded.</code></pre>