Except that it's it's not a bug. You're complaining that a superuser can do privileged things. Normal users can't use COPY ... PROGRAM:https://twitter.com/planetpostgres/status/1113166098046877697 …
-
-
Replying to @Jacob_Wilkin
It literally is working as documented. You can disagree with that design (IMO a bad argument, because the ability to extend postgres with additional functionality at runtime is a significant reason for its success). But that does NOT make it a security issue.
1 reply 1 retweet 4 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
Claiming it as a remotely exploitable security issue is just disingenuous bullshit. You could just have blogged about a, in your view, poor design choice and that'd be entirely fair game.
1 reply 0 retweets 5 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
Seriously, we allow superusers to do all kind of things. Execute user defined functions in languages running without sandboxes (there's also sandboxed languages, which non-superusers can use). Create new base types, which rely on C functions in extension libraries. DROP all data.
1 reply 1 retweet 3 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
What you're saying is that, despite all that being documented, it's a security issue that we allow it. That just doesn't make sense.
1 reply 0 retweets 2 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
IOW: Don't give superusers permissions to users that don't need it, and don't run your applications as a superuser.
0 replies 2 retweets 7 likes -
Replying to @Jacob_Wilkin
You got a CVE for it. Describing a design disagreement / feature wish as a security vulnerability.
1 reply 0 retweets 0 likes -
Replying to @AndresFreundTec @Jacob_Wilkin
It certainly sounds like a pretty bad abuse of the cve system, which is designed to help people track actual vulnerabilities. For clicks? Or something else? At least it is costing many hours of work from unpaid volunteers, there is that...
2 replies 3 retweets 11 likes
And even if one (how?) agreed with Jacob's view that this is a security issue, the presentation is ridiculous. Claiming something explicitly stated in the documentation as a "#ZeroDay". I mean, comeon.
-
-
Replying to @AndresFreundTec @Jacob_Wilkin
And also referring the wrong system roles and a few things like that it definitely doesn't shine of deep research no. More of reading some of the documentation but not all of it.
1 reply 0 retweets 1 like -
I'm saving my popcorns for when he files this CVE against the Linux kernel for allowing a root user
0 replies 1 retweet 5 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.