NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commit8d7694b

committed

Use a separate interpreter for each calling SQL userid in plperl and pltcl.

There are numerous methods by which a Perl or Tcl function can subvertthe behavior of another such function executed later; for example, byredefining standard functions or operators called by the target function.If the target function is SECURITY DEFINER, or is called by such afunction, this means that any ordinary SQL user with Perl or Tcl languageusage rights can do essentially anything with the privileges of the targetfunction's owner.To close this security hole, create a separate Perl or Tcl interpreter foreach SQL userid under which plperl or pltcl functions are executed withina session. However, all plperlu or pltclu functions run within a sessionstill share a single interpreter, since they all execute at the trustlevel of a database superuser anyway.Note: this change results in a functionality loss when libperl has beenbuilt without the "multiplicity" option: it's no longer possible to callplperl functions under different userids in one session, since such alibperl can't support multiple interpreters in one process. However, sucha libperl already failed to support concurrent use of plperl and plperlu,so it's likely that few people use such versions with Postgres.Security:CVE-2010-3433

1 parentee54ffd commit8d7694bCopy full SHA for 8d7694b

File tree

9 files changed

+675

-386

lines changed

doc/src/sgml
src/pl
- plperl
  - plperl.c
  - test
    - plperlu_plperl.expected
    - test.expected
- tcl
  - pltcl.c

9 files changed

+675

-386

lines changed

`‎doc/src/sgml/installation.sgml`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,11 @@ su - postgres`
`170`	`170`	`recent <productname>Perl</productname> versions, but it was not`
`171`	`171`	`in earlier versions, and in any case it is the choice of whomever`
`172`	`172`	`installed Perl at your site.`
	`173`	`+ If you intend to make more than incidental use of`
	`174`	`+ <application>PL/Perl</application>, you should ensure that the`
	`175`	`+ <productname>Perl</productname> installation was built with the`
	`176`	`+ <literal>usemultiplicity</> option enabled (<literal>perl -V</>`
	`177`	`+ will show whether this is the case).`
`173`	`178`	`</para>`
`174`	`179`
`175`	`180`	`<para>`

`‎doc/src/sgml/plperl.sgml`

Lines changed: 43 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ $PostgreSQL: pgsql/doc/src/sgml/plperl.sgml,v 2.37.4.1 2010/05/13 16:44:03 aduns`
`35`	`35`	`<para>`
`36`	`36`	`Users of source packages must specially enable the build of`
`37`	`37`	`PL/Perl during the installation process. (Refer to <xref`
`38`		`- linkend="install-short"> for more information.) Users of`
	`38`	`+ linkend="installation"> for more information.) Users of`
`39`	`39`	`binary packages might find PL/Perl in a separate subpackage.`
`40`	`40`	`</para>`
`41`	`41`	`</note>`
`@@ -397,6 +397,23 @@ $$ LANGUAGE plperl;`
`397`	`397`	`<literal>return $_SHARED{myquote}->($_[0]);</literal>`
`398`	`398`	`at the expense of readability.)`
`399`	`399`	`</para>`
	`400`	`+`
	`401`	`+ <para>`
	`402`	`+ For security reasons, PL/Perl executes functions called by any one SQL role`
	`403`	`+ in a separate Perl interpreter for that role. This prevents accidental or`
	`404`	`+ malicious interference by one user with the behavior of another user's`
	`405`	`+ PL/Perl functions. Each such interpreter has its own value of the`
	`406`	`+ <varname>%_SHARED</varname> variable and other global state. Thus, two`
	`407`	`+ PL/Perl functions will share the same value of <varname>%_SHARED</varname>`
	`408`	`+ if and only if they are executed by the same SQL role. In an application`
	`409`	`+ wherein a single session executes code under multiple SQL roles (via`
	`410`	`+ <literal>SECURITY DEFINER</> functions, use of <command>SET ROLE</>, etc)`
	`411`	`+ you may need to take explicit steps to ensure that PL/Perl functions can`
	`412`	`+ share data via <varname>%_SHARED</varname>. To do that, make sure that`
	`413`	`+ functions that should communicate are owned by the same user, and mark`
	`414`	`+ them <literal>SECURITY DEFINER</>. You must of course take care that`
	`415`	`+ such functions can't be used to do anything unintended.`
	`416`	`+ </para>`
`400`	`417`	`</sect1>`
`401`	`418`
`402`	`419`	`<sect1 id="plperl-trusted">`
`@@ -460,21 +477,31 @@ $$ LANGUAGE plperl;`
`460`	`477`	`</para>`
`461`	`478`
`462`	`479`	`<note>`
`463`		`- <para>`
`464`		`- For security reasons, to stop a leak of privileged operations from`
`465`		`- <application>PL/PerlU</> to <application>PL/Perl</>, these two languages`
`466`		`- have to run in separate instances of the Perl interpreter. If your`
`467`		`- Perl installation has been appropriately compiled, this is not a problem.`
`468`		`- However, not all installations are compiled with the requisite flags.`
`469`		`- If <productname>PostgreSQL</> detects that this is the case then it will`
`470`		`- not start a second interpreter, but instead create an error. In`
`471`		`- consequence, in such an installation, you cannot use both`
`472`		`- <application>PL/PerlU</> and <application>PL/Perl</> in the same backend`
`473`		`- process. The remedy for this is to obtain a Perl installation created`
`474`		`- with the appropriate flags, namely either <literal>usemultiplicity</> or`
`475`		`- both <literal>usethreads</> and <literal>useithreads</>.`
`476`		`- For more details,see the <literal>perlembed</> manual page.`
`477`		`- </para>`
	`480`	`+ <para>`
	`481`	`+ While <application>PL/Perl</> functions run in a separate Perl`
	`482`	`+ interpreter for each SQL role, all <application>PL/PerlU</> functions`
	`483`	`+ executed in a given session run in a single Perl interpreter (which is`
	`484`	`+ not any of the ones used for <application>PL/Perl</> functions).`
	`485`	`+ This allows <application>PL/PerlU</> functions to share data freely,`
	`486`	`+ but no communication can occur between <application>PL/Perl</> and`
	`487`	`+ <application>PL/PerlU</> functions.`
	`488`	`+ </para>`
	`489`	`+ </note>`
	`490`	`+`
	`491`	`+ <note>`
	`492`	`+ <para>`
	`493`	`+ Perl cannot support multiple interpreters within one process unless`
	`494`	`+ it was built with the appropriate flags, namely either`
	`495`	`+ <literal>usemultiplicity</> or <literal>useithreads</>.`
	`496`	`+ (<literal>usemultiplicity</> is preferred unless you actually need`
	`497`	`+ to use threads. For more details, see the`
	`498`	`+ <citerefentry><refentrytitle>perlembed</></citerefentry> man page.)`
	`499`	`+ If <application>PL/Perl</> is used with a copy of Perl that was not built`
	`500`	`+ this way, then it is only possible to have one Perl interpreter per`
	`501`	`+ session, and so any one session can only execute either`
	`502`	`+ <application>PL/PerlU</> functions, or <application>PL/Perl</> functions`
	`503`	`+ that are all called by the same SQL role.`
	`504`	`+ </para>`
`478`	`505`	`</note>`
`479`	`506`
`480`	`507`	`</sect1>`

`‎doc/src/sgml/pltcl.sgml`

Lines changed: 34 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -210,14 +210,36 @@ $$ LANGUAGE pltcl;`
`210`	`210`	`Sometimes it`
`211`	`211`	`is useful to have some global data that is held between two`
`212`	`212`	`calls to a function or is shared between different functions.`
`213`		`- This is easily done since`
`214`		`- all PL/Tcl functions executed in one session share the same`
`215`		`- safe Tcl interpreter. So, any global Tcl variable is accessible to`
`216`		`- all PL/Tcl function calls and will persist for the duration of the`
`217`		`- SQL session. (Note that <application>PL/TclU</> functions likewise share`
`218`		`- global data, but they are in a different Tcl interpreter and cannot`
`219`		`- communicate with PL/Tcl functions.)`
	`213`	`+ This is easily done in PL/Tcl, but there are some restrictions that`
	`214`	`+ must be understood.`
`220`	`215`	`</para>`
	`216`	`+`
	`217`	`+ <para>`
	`218`	`+ For security reasons, PL/Tcl executes functions called by any one SQL`
	`219`	`+ role in a separate Tcl interpreter for that role. This prevents`
	`220`	`+ accidental or malicious interference by one user with the behavior of`
	`221`	`+ another user's PL/Tcl functions. Each such interpreter will have its own`
	`222`	`+ values for any <quote>global</> Tcl variables. Thus, two PL/Tcl`
	`223`	`+ functions will share the same global variables if and only if they are`
	`224`	`+ executed by the same SQL role. In an application wherein a single`
	`225`	`+ session executes code under multiple SQL roles (via <literal>SECURITY`
	`226`	`+ DEFINER</> functions, use of <command>SET ROLE</>, etc) you may need to`
	`227`	`+ take explicit steps to ensure that PL/Tcl functions can share data. To`
	`228`	`+ do that, make sure that functions that should communicate are owned by`
	`229`	`+ the same user, and mark them <literal>SECURITY DEFINER</>. You must of`
	`230`	`+ course take care that such functions can't be used to do anything`
	`231`	`+ unintended.`
	`232`	`+ </para>`
	`233`	`+`
	`234`	`+ <para>`
	`235`	`+ All PL/TclU functions used in a session execute in the same Tcl`
	`236`	`+ interpreter, which of course is distinct from the interpreter(s)`
	`237`	`+ used for PL/Tcl functions. So global data is automatically shared`
	`238`	`+ between PL/TclU functions. This is not considered a security risk`
	`239`	`+ because all PL/TclU functions execute at the same trust level,`
	`240`	`+ namely that of a database superuser.`
	`241`	`+ </para>`
	`242`	`+`
`221`	`243`	`<para>`
`222`	`244`	`To help protect PL/Tcl functions from unintentionally interfering`
`223`	`245`	`with each other, a global`
`@@ -227,7 +249,9 @@ $$ LANGUAGE pltcl;`
`227`	`249`	`<literal>GD</> be used`
`228`	`250`	`for persistent private data of a function. Use regular Tcl global`
`229`	`251`	`variables only for values that you specifically intend to be shared among`
`230`		`- multiple functions.`
	`252`	`+ multiple functions. (Note that the <literal>GD</> arrays are only`
	`253`	`+ global within a particular interpreter, so they do not bypass the`
	`254`	`+ security restrictions mentioned above.)`
`231`	`255`	`</para>`
`232`	`256`
`233`	`257`	`<para>`
`@@ -666,8 +690,8 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab`
`666`	`690`	`exists, the module <literal>unknown</> is fetched from the table`
`667`	`691`	`and loaded into the Tcl interpreter immediately before the first`
`668`	`692`	`execution of a PL/Tcl function in a database session. (This`
`669`		`- happens separately forPL/Tcland PL/TclU, ifboth are used,`
`670`		`-because separate interpreters are used for the two languages.)`
	`693`	`+ happens separately foreachTclinterpreter, ifmore than one is`
	`694`	`+used in a session; see <xref linkend="pltcl-global">.)`
`671`	`695`	`</para>`
`672`	`696`	`<para>`
`673`	`697`	`While the <literal>unknown</> module could actually contain any`

`‎doc/src/sgml/release-7.4.sgml`

Lines changed: 37 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,43 @@`
`37`	`37`
`38`	`38`	`<itemizedlist>`
`39`	`39`
	`40`	`+ <listitem>`
	`41`	`+ <para>`
	`42`	`+ Use a separate interpreter for each calling SQL userid in PL/Perl and`
	`43`	`+ PL/Tcl (Tom Lane)`
	`44`	`+ </para>`
	`45`	`+`
	`46`	`+ <para>`
	`47`	`+ This change prevents security problems that can be caused by subverting`
	`48`	`+ Perl or Tcl code that will be executed later in the same session under`
	`49`	`+ another SQL user identity (for example, within a <literal>SECURITY`
	`50`	`+ DEFINER</> function). Most scripting languages offer numerous ways that`
	`51`	`+ that might be done, such as redefining standard functions or operators`
	`52`	`+ called by the target function. Without this change, any SQL user with`
	`53`	`+ Perl or Tcl language usage rights can do essentially anything with the`
	`54`	`+ SQL privileges of the target function's owner.`
	`55`	`+ </para>`
	`56`	`+`
	`57`	`+ <para>`
	`58`	`+ The cost of this change is that intentional communication among Perl`
	`59`	`+ and Tcl functions becomes more difficult. To provide an escape hatch,`
	`60`	`+ PL/PerlU and PL/TclU functions continue to use only one interpreter`
	`61`	`+ per session. This is not considered a security issue since all such`
	`62`	`+ functions execute at the trust level of a database superuser already.`
	`63`	`+ </para>`
	`64`	`+`
	`65`	`+ <para>`
	`66`	`+ It is likely that third-party procedural languages that claim to offer`
	`67`	`+ trusted execution have similar security issues. We advise contacting`
	`68`	`+ the authors of any PL you are depending on for security-critical`
	`69`	`+ purposes.`
	`70`	`+ </para>`
	`71`	`+`
	`72`	`+ <para>`
	`73`	`+ Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433).`
	`74`	`+ </para>`
	`75`	`+ </listitem>`
	`76`	`+`
`40`	`77`	`<listitem>`
`41`	`78`	`<para>`
`42`	`79`	`Prevent possible crashes in <function>pg_get_expr()</> by disallowing`

`‎doc/src/sgml/release-8.0.sgml`

Lines changed: 37 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,43 @@`
`37`	`37`
`38`	`38`	`<itemizedlist>`
`39`	`39`
	`40`	`+ <listitem>`
	`41`	`+ <para>`
	`42`	`+ Use a separate interpreter for each calling SQL userid in PL/Perl and`
	`43`	`+ PL/Tcl (Tom Lane)`
	`44`	`+ </para>`
	`45`	`+`
	`46`	`+ <para>`
	`47`	`+ This change prevents security problems that can be caused by subverting`
	`48`	`+ Perl or Tcl code that will be executed later in the same session under`
	`49`	`+ another SQL user identity (for example, within a <literal>SECURITY`
	`50`	`+ DEFINER</> function). Most scripting languages offer numerous ways that`
	`51`	`+ that might be done, such as redefining standard functions or operators`
	`52`	`+ called by the target function. Without this change, any SQL user with`
	`53`	`+ Perl or Tcl language usage rights can do essentially anything with the`
	`54`	`+ SQL privileges of the target function's owner.`
	`55`	`+ </para>`
	`56`	`+`
	`57`	`+ <para>`
	`58`	`+ The cost of this change is that intentional communication among Perl`
	`59`	`+ and Tcl functions becomes more difficult. To provide an escape hatch,`
	`60`	`+ PL/PerlU and PL/TclU functions continue to use only one interpreter`
	`61`	`+ per session. This is not considered a security issue since all such`
	`62`	`+ functions execute at the trust level of a database superuser already.`
	`63`	`+ </para>`
	`64`	`+`
	`65`	`+ <para>`
	`66`	`+ It is likely that third-party procedural languages that claim to offer`
	`67`	`+ trusted execution have similar security issues. We advise contacting`
	`68`	`+ the authors of any PL you are depending on for security-critical`
	`69`	`+ purposes.`
	`70`	`+ </para>`
	`71`	`+`
	`72`	`+ <para>`
	`73`	`+ Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433).`
	`74`	`+ </para>`
	`75`	`+ </listitem>`
	`76`	`+`
`40`	`77`	`<listitem>`
`41`	`78`	`<para>`
`42`	`79`	`Prevent possible crashes in <function>pg_get_expr()</> by disallowing`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8d7694b

File tree

9 files changed

9 files changed

`‎doc/src/sgml/installation.sgml`

`‎doc/src/sgml/plperl.sgml`

`‎doc/src/sgml/pltcl.sgml`

`‎doc/src/sgml/release-7.4.sgml`

`‎doc/src/sgml/release-8.0.sgml`

0 commit comments