Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1c05004

Browse files
committed
Fix per-session activation of ALTER {ROLE|DATABASE} SET role.
After commit5a2fed9, the catalog stateresulting from these commands ceased to affect sessions. Restore thelongstanding behavior, which is like beginning the session with a SETROLE command. If cherry-picking theCVE-2024-10978 fixes, default toincluding this, too. (This fixes an unintended side effect of fixingCVE-2024-10978.) Back-patch to v12, like that commit. The release teamdecided to include v12, despite the original intent to halt v12 commitsearlier this week.Tom Lane and Noah Misch. Reported by Etienne LAFARGE.Discussion:https://postgr.es/m/CADOZwSb0UsEr4_UTFXC5k7=fyyK8uKXekucd+-uuGjJsGBfxgw@mail.gmail.com
1 parent568e78a commit1c05004

File tree

6 files changed

+90
-3
lines changed

6 files changed

+90
-3
lines changed

‎src/backend/utils/init/miscinit.c‎

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -815,7 +815,25 @@ InitializeSessionUserId(const char *rolename, Oid roleid, bool bypass_login_chec
815815
{
816816
SetAuthenticatedUserId(roleid);
817817

818-
/* Set SessionUserId and related variables via the GUC mechanisms */
818+
/*
819+
* Set SessionUserId and related variables, including "role", via the
820+
* GUC mechanisms.
821+
*
822+
* Note: ideally we would use PGC_S_DYNAMIC_DEFAULT here, so that
823+
* session_authorization could subsequently be changed from
824+
* pg_db_role_setting entries. Instead, session_authorization in
825+
* pg_db_role_setting has no effect. Changing that would require
826+
* solving two problems:
827+
*
828+
* 1. If pg_db_role_setting has values for both session_authorization
829+
* and role, we could not be sure which order those would be applied
830+
* in, and it would matter.
831+
*
832+
* 2. Sites may have years-old session_authorization entries. There's
833+
* not been any particular reason to remove them. Ending the dormancy
834+
* of those entries could seriously change application behavior, so
835+
* only a major release should do that.
836+
*/
819837
SetConfigOption("session_authorization",rname,
820838
PGC_BACKEND,PGC_S_OVERRIDE);
821839
}

‎src/backend/utils/misc/guc.c‎

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4102,6 +4102,12 @@ set_config_with_handle(const char *name, config_handle *handle,
41024102
* expect that if "role" isn't supposed to be default, it
41034103
* has been or will be set by a separate reload action.
41044104
*
4105+
* Also, for the call from InitializeSessionUserId with
4106+
* source == PGC_S_OVERRIDE, use PGC_S_DYNAMIC_DEFAULT for
4107+
* "role"'s source, so that it's still possible to set
4108+
* "role" from pg_db_role_setting entries. (See notes in
4109+
* InitializeSessionUserId before changing this.)
4110+
*
41054111
* A fine point: for RESET session_authorization, we do
41064112
* "RESET role" not "SET ROLE NONE" (by passing down NULL
41074113
* rather than "none" for the value). This would have the
@@ -4114,7 +4120,9 @@ set_config_with_handle(const char *name, config_handle *handle,
41144120
(void)set_config_with_handle("role",NULL,
41154121
value ?"none" :NULL,
41164122
orig_context,
4117-
orig_source,
4123+
(orig_source==PGC_S_OVERRIDE)
4124+
?PGC_S_DYNAMIC_DEFAULT
4125+
:orig_source,
41184126
orig_srole,
41194127
action,
41204128
true,

‎src/test/modules/unsafe_tests/Makefile‎

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
# src/test/modules/unsafe_tests/Makefile
22

3-
REGRESS = rolenames alter_system_table guc_privs
3+
REGRESS = rolenames setconfig alter_system_table guc_privs
4+
REGRESS_OPTS =\
5+
--create-role=regress_authenticated_user_sr\
6+
--create-role=regress_authenticated_user_ssa
47

58
# the whole point of these tests is to not run installcheck
69
NO_INSTALLCHECK = 1
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
-- This is borderline unsafe in that an additional login-capable user exists
2+
-- during the test run. Under installcheck, a too-permissive pg_hba.conf
3+
-- might allow unwanted logins as regress_authenticated_user_ssa.
4+
ALTER USER regress_authenticated_user_ssa superuser;
5+
CREATE ROLE regress_session_user;
6+
CREATE ROLE regress_current_user;
7+
GRANT regress_current_user TO regress_authenticated_user_sr;
8+
GRANT regress_session_user TO regress_authenticated_user_ssa;
9+
ALTER ROLE regress_authenticated_user_ssa
10+
SET session_authorization = regress_session_user;
11+
ALTER ROLE regress_authenticated_user_sr SET ROLE = regress_current_user;
12+
\c - regress_authenticated_user_sr
13+
SELECT current_user, session_user;
14+
current_user | session_user
15+
----------------------+-------------------------------
16+
regress_current_user | regress_authenticated_user_sr
17+
(1 row)
18+
19+
-- The longstanding historical behavior is that session_authorization in
20+
-- setconfig has no effect. Hence, session_user remains
21+
-- regress_authenticated_user_ssa. See comment in InitializeSessionUserId().
22+
\c - regress_authenticated_user_ssa
23+
SELECT current_user, session_user;
24+
current_user | session_user
25+
--------------------------------+--------------------------------
26+
regress_authenticated_user_ssa | regress_authenticated_user_ssa
27+
(1 row)
28+
29+
RESET SESSION AUTHORIZATION;
30+
DROP USER regress_session_user;
31+
DROP USER regress_current_user;

‎src/test/modules/unsafe_tests/meson.build‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,12 @@ tests += {
77
'regress': {
88
'sql': [
99
'rolenames',
10+
'setconfig',
1011
'alter_system_table',
1112
'guc_privs',
1213
],
14+
'regress_args': ['--create-role=regress_authenticated_user_sr',
15+
'--create-role=regress_authenticated_user_ssa'],
1316
'runningcheck':false,
1417
},
1518
}
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
-- This is borderline unsafe in that an additional login-capable user exists
2+
-- during the test run. Under installcheck, a too-permissive pg_hba.conf
3+
-- might allow unwanted logins as regress_authenticated_user_ssa.
4+
5+
ALTERUSER regress_authenticated_user_ssa superuser;
6+
CREATE ROLE regress_session_user;
7+
CREATE ROLE regress_current_user;
8+
GRANT regress_current_user TO regress_authenticated_user_sr;
9+
GRANT regress_session_user TO regress_authenticated_user_ssa;
10+
ALTER ROLE regress_authenticated_user_ssa
11+
SET session_authorization= regress_session_user;
12+
ALTER ROLE regress_authenticated_user_srSET ROLE= regress_current_user;
13+
14+
\c- regress_authenticated_user_sr
15+
SELECTcurrent_user,session_user;
16+
17+
-- The longstanding historical behavior is that session_authorization in
18+
-- setconfig has no effect. Hence, session_user remains
19+
-- regress_authenticated_user_ssa. See comment in InitializeSessionUserId().
20+
\c- regress_authenticated_user_ssa
21+
SELECTcurrent_user,session_user;
22+
RESET SESSION AUTHORIZATION;
23+
DROPUSER regress_session_user;
24+
DROPUSER regress_current_user;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp