oss-sec mailing list archives
Re: PostgreSQL and CREATEROLE permission
From: Bernd Zeimetz <bernd () bzed de>
Date: Thu, 20 Apr 2023 20:39:36 +0200
Hi,
This information showed up on the pgsql-general mailing list at [1]. It appears a user with CREATEROLE can elevate to root through pg_execute_server_program.[2]
really root? As I understand it you gain access to the DB superuser (usually the postgres user) only. Although I could imagine that you could trick careless admins into giving you root permissions on that way... Bernd -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Current thread:
- PostgreSQL and CREATEROLE permission Jeffrey Walton (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Bernd Zeimetz (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Jeffrey Walton (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Bernd Zeimetz (Apr 20)