[Tile-serving] [openstreetmap/osm2pgsql] Document security practices for multi-user systems (#831)

[Paul Norman]

I've been evaluating osm2pgsql for CVE-2018-1058-like attacks. It's doing the following function call without a schema qualification

- PostGIS calls
  This is an attack vector, except that the PostGIS functions have to have been created by a superuser. An owner of the DB could create a function in it with higher precedence than the PostGIS function, so osm2pgsql should never be run as superuser on a multi-user system.

- %1%_osm2pgsql_valid trigger
  This is a potential attack vector, but I believe because we just created the function the same transaction it's fine.

- calls to COUNT(*) throughout the tests
  I think these should be pg_catalog.COUNT, and the tests need to be run as a superuser. On the other hand, osm2pgsql itself creates the databases, so I don't believe there is an attack vector.

For an attack to work you need

- an attacker who can create functions in the DB (required for the search_path attacks to work). This requires CREATE on the schema osm2pgsql is using

- osm2pgsql running with permissions higher than the attacker (required for the attack to escalate privileges)

The only scenarios I can see are

- osm2pgsql is run as a superuser
- osm2pgsql has CREATE on the db and the attacker has CREATE on the schema osm2pgsql will use, but not the db

In practice, in every scenario I've seen, osm2pgsql imports run with the highest non-superuser level of access, because they have to DROP and CREATE tables.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/osm2pgsql/issues/831#issuecomment-380659167
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/tile-serving/attachments/20180411/0570eeaf/attachment.html>