Security definer

From UVOO Tech Wiki
Jump to navigation Jump to search

PostgreSQL, SECURITY DEFINER is an attribute applied to functions, procedures, or views that dictates the security context under which they execute. How it works: Default Behavior (SECURITY INVOKER): By default, when a function or procedure is invoked, it runs with the privileges of the calling user (the user executing the function). This is known as SECURITY INVOKER. SECURITY DEFINER: When a function, procedure, or view is defined with SECURITY DEFINER, it executes with the privileges of the owner of that object (the user who created or last altered it). This means that even if a low-privileged user calls the SECURITY DEFINER function, the operations within that function will be performed with the potentially higher privileges of the owner. Purpose and Use Cases: The primary purpose of SECURITY DEFINER is to allow controlled elevation of privileges. This is useful in scenarios where a less privileged user needs to perform a specific action that requires higher privileges, but without directly granting them those elevated permissions. Examples: Controlled Data Access: A SECURITY DEFINER function owned by a superuser could allow a regular user to access or modify specific data in a table they wouldn't normally have direct access to, but only through the controlled logic within the function. System Administration Tasks: A SECURITY DEFINER function could allow a non-superuser to perform limited administrative tasks, such as creating new roles with specific, predefined permissions, without granting them full CREATEROLE privileges. Security Considerations: While SECURITY DEFINER is powerful, it introduces security risks if not used carefully: Vulnerability to Abuse: If a SECURITY DEFINER function is not written securely and allows arbitrary input or operations, it can be exploited to gain unauthorized access or perform malicious actions with the owner's elevated privileges. Search Path Manipulation: In functions that use SECURITY DEFINER, it is crucial to explicitly schema-qualify all database objects (tables, functions, etc.) to prevent potential search path manipulation, where a malicious user could create objects with the same name in their own schema to trick the function into executing unintended code. Least Privilege Principle: Adhere to the principle of least privilege. The owner of a SECURITY DEFINER object should only have the minimum necessary privileges required for the function's intended purpose.

Retrieved from "https://tech.uvoo.io/index.php?title=Security_definer&oldid=5625"