PostgreSQL developers make security hole public
In a blog entry, the developers of the PostgreSQL free database warn programmers against improperly using the SECURITY DEFINER option in SQL procedures and functions. In this option, the code is executed with the rights of the person who defined the procedure much like the setuid procedure in Unix, which allows any user to execute programs with the rights of the superuser.
The security hole results from the fact that PostgreSQL SQL resolves references in function code at run time and "any references to SQL objects that are not schema qualified are resolved using the schema search path of the session at run time, which is under the control of the calling user." As a workaround for this design error, the developers recommend setting a schema path on which PostgreSQL will look for the referenced functions, procedures, and operations with SET search_path in all SECURITY DEFINER procedures and functions.
This security hole affects all versions of PostgreSQL since 7.3. The developers have not provided a patch, but PostgreSQL 8.3 may contain a remedy. Until one is made available, developers should protect their procedures and functions by using the SET function described.