oss-sec mailing list archives
Re: PostgreSQL and CREATEROLE permission
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 20 Apr 2023 18:29:10 -0400
On Thu, Apr 20, 2023 at 3:39 PM Bernd Zeimetz <bernd () bzed de> wrote:
This information showed up on the pgsql-general mailing list at [1]. It appears a user with CREATEROLE can elevate to root through pg_execute_server_program.[2]really root? As I understand it you gain access to the DB superuser (usually the postgres user) only. Although I could imagine that you could trick careless admins into giving you root permissions on that way...
I hope I did not misparse things when I sent the email. My apologies if I did. Jeff
Current thread:
- PostgreSQL and CREATEROLE permission Jeffrey Walton (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Bernd Zeimetz (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Jeffrey Walton (Apr 20)
- Re: PostgreSQL and CREATEROLE permission Bernd Zeimetz (Apr 20)