NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit76123de

committed

Fix improper interactions between session_authorization and role.

The SQL spec mandates that SET SESSION AUTHORIZATION impliesSET ROLE NONE. We tried to implement that within the lowest-levelfunctions that manipulate these settings, but that was a bad idea.In particular, guc.c assumes that it doesn't matter in what orderit applies GUC variable updates, but that was not the case for thesetwo variables. This problem, compounded by some hackish attempts towork around it, led to some security-grade issues:* Rolling back a transaction that had done SET SESSION AUTHORIZATIONwould revert to SET ROLE NONE, even if that had not been the previousstate, so that the effective user ID might now be different from whatit had been.* The same for SET SESSION AUTHORIZATION in a function SET clause.* If a parallel worker inspected current_setting('role'), it saw"none" even when it should see something else.Also, although the parallel worker startup code intended to copewith the current role's pg_authid row having disappeared, itsimplementation of that was incomplete so it would still fail.Fix by fully separating the miscinit.c functions that assignsession_authorization from those that assign role. To implement thespec's requirement, teach set_config_option itself to perform "SETROLE NONE" when it sets session_authorization. (This is undoubtedlyugly, but the alternatives seem worse. In particular, there's no wayto do it within assign_session_authorization without incompatiblechanges in the API for GUC assign hooks.) Also, improveParallelWorkerMain to directly set all the relevant user-ID variablesinstead of relying on some of them to get set indirectly. Thatallows us to survive not finding the pg_authid row during workerstartup.In v16 and earlier, this includes back-patching9987a7b whichfixed a violation of GUC coding rules: SetSessionAuthorizationis not an appropriate place to be throwing errors from.Security:CVE-2024-10978

1 parent952ff31 commit76123deCopy full SHA for 76123de

File tree

7 files changed

+341

-109

lines changed

src
- backend
  - access/transam
    - parallel.c
  - commands
    - variable.c
  - utils
    - init
      - miscinit.c
    - misc
      - guc.c
- include
  - miscadmin.h
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

7 files changed

+341

-109

lines changed

`‎src/backend/access/transam/parallel.c`

Lines changed: 27 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -83,12 +83,15 @@ typedef struct FixedParallelState`
`83`	`83`	`/* Fixed-size state that workers must restore. */`
`84`	`84`	`Oiddatabase_id;`
`85`	`85`	`Oidauthenticated_user_id;`
`86`		`-Oidcurrent_user_id;`
	`86`	`+Oidsession_user_id;`
`87`	`87`	`Oidouter_user_id;`
	`88`	`+Oidcurrent_user_id;`
`88`	`89`	`Oidtemp_namespace_id;`
`89`	`90`	`Oidtemp_toast_namespace_id;`
`90`	`91`	`intsec_context;`
`91`		`-boolis_superuser;`
	`92`	`+boolauthenticated_user_is_superuser;`
	`93`	`+boolsession_user_is_superuser;`
	`94`	`+boolrole_is_superuser;`
`92`	`95`	`PGPROC*parallel_master_pgproc;`
`93`	`96`	`pid_tparallel_master_pid;`
`94`	`97`	`BackendIdparallel_master_backend_id;`
`@@ -330,9 +333,12 @@ InitializeParallelDSM(ParallelContext *pcxt)`
`330`	`333`	`shm_toc_allocate(pcxt->toc,sizeof(FixedParallelState));`
`331`	`334`	`fps->database_id=MyDatabaseId;`
`332`	`335`	`fps->authenticated_user_id=GetAuthenticatedUserId();`
	`336`	`+fps->session_user_id=GetSessionUserId();`
`333`	`337`	`fps->outer_user_id=GetCurrentRoleId();`
`334`		`-fps->is_superuser=session_auth_is_superuser;`
`335`	`338`	`GetUserIdAndSecContext(&fps->current_user_id,&fps->sec_context);`
	`339`	`+fps->authenticated_user_is_superuser=GetAuthenticatedUserIsSuperuser();`
	`340`	`+fps->session_user_is_superuser=GetSessionUserIsSuperuser();`
	`341`	`+fps->role_is_superuser=session_auth_is_superuser;`
`336`	`342`	`GetTempNamespaceState(&fps->temp_namespace_id,`
`337`	`343`	`&fps->temp_toast_namespace_id);`
`338`	`344`	`fps->parallel_master_pgproc=MyProc;`
`@@ -1395,6 +1401,18 @@ ParallelWorkerMain(Datum main_arg)`
`1395`	`1401`
`1396`	`1402`	`entrypt=LookupParallelWorkerFunction(library_name,function_name);`
`1397`	`1403`
	`1404`	`+/*`
	`1405`	`+ * Restore current session authorization and role id. No verification`
	`1406`	`+ * happens here, we just blindly adopt the leader's state. Note that this`
	`1407`	`+ * has to happen before InitPostgres, since InitializeSessionUserId will`
	`1408`	`+ * not set these variables.`
	`1409`	`+ */`
	`1410`	`+SetAuthenticatedUserId(fps->authenticated_user_id,`
	`1411`	`+fps->authenticated_user_is_superuser);`
	`1412`	`+SetSessionAuthorization(fps->session_user_id,`
	`1413`	`+fps->session_user_is_superuser);`
	`1414`	`+SetCurrentRoleId(fps->outer_user_id,fps->role_is_superuser);`
	`1415`	`+`
`1398`	`1416`	`/* Restore database connection. */`
`1399`	`1417`	`BackgroundWorkerInitializeConnectionByOid(fps->database_id,`
`1400`	`1418`	`fps->authenticated_user_id,`
`@@ -1460,13 +1478,13 @@ ParallelWorkerMain(Datum main_arg)`
`1460`	`1478`	`InvalidateSystemCaches();`
`1461`	`1479`
`1462`	`1480`	`/*`
`1463`		`- * Restore current role id. Skip verifying whether session user is`
`1464`		`- * allowed to become this role and blindly restore the leader's state for`
`1465`		`- * current role.`
	`1481`	`+ * Restore current user ID and security context. No verification happens`
	`1482`	`+ * here, we just blindly adopt the leader's state. We can't do this till`
	`1483`	`+ * after restoring GUCs, else we'll get complaints about restoring`
	`1484`	`+ * session_authorization and role. (In effect, we're assuming that all`
	`1485`	`+ * the restored values are okay to set, even if we are now inside a`
	`1486`	`+ * restricted context.)`
`1466`	`1487`	`*/`
`1467`		`-SetCurrentRoleId(fps->outer_user_id,fps->is_superuser);`
`1468`		`-`
`1469`		`-/* Restore user ID and security context. */`
`1470`	`1488`	`SetUserIdAndSecContext(fps->current_user_id,fps->sec_context);`
`1471`	`1489`
`1472`	`1490`	`/* Restore temp-namespace state to ensure search path matches leader's. */`

`‎src/backend/commands/variable.c`

Lines changed: 72 additions & 29 deletions

Original file line number	Diff line number	Diff line change
`@@ -753,40 +753,78 @@ check_session_authorization(char newval, void extra, GucSource source)`
`753`	`753`	`if (*newval==NULL)`
`754`	`754`	`return true;`
`755`	`755`
`756`		`-if (!IsTransactionState())`
	`756`	`+if (InitializingParallelWorker)`
`757`	`757`	`{`
`758`	`758`	`/*`
`759`		`- *Can't do catalog lookups, so fail. The result of this is that`
`760`		`- *session_authorization cannot be set in postgresql.conf, which seems`
`761`		`- *like a good thing anyway, so we don't work hard to avoid it.`
	`759`	`+ *In parallel worker initialization, we want to copy the leader's`
	`760`	`+ *state even if it no longer matches the catalogs. ParallelWorkerMain`
	`761`	`+ *already installed the correct role OID and superuser state.`
`762`	`762`	`*/`
`763`		`-return false;`
	`763`	`+roleid=GetSessionUserId();`
	`764`	`+is_superuser=GetSessionUserIsSuperuser();`
`764`	`765`	`}`
`765`		`-`
`766`		`-/* Look up the username */`
`767`		`-roleTup=SearchSysCache1(AUTHNAME,PointerGetDatum(*newval));`
`768`		`-if (!HeapTupleIsValid(roleTup))`
	`766`	`+else`
`769`	`767`	`{`
	`768`	`+if (!IsTransactionState())`
	`769`	`+{`
	`770`	`+/*`
	`771`	`+ * Can't do catalog lookups, so fail. The result of this is that`
	`772`	`+ * session_authorization cannot be set in postgresql.conf, which`
	`773`	`+ * seems like a good thing anyway, so we don't work hard to avoid`
	`774`	`+ * it.`
	`775`	`+ */`
	`776`	`+return false;`
	`777`	`+}`
	`778`	`+`
`770`	`779`	`/*`
`771`	`780`	`* When source == PGC_S_TEST, we don't throw a hard error for a`
`772`		`- * nonexistent user name, only a NOTICE. See comments in guc.h.`
	`781`	`+ * nonexistent user name or insufficient privileges, only a NOTICE.`
	`782`	`+ * See comments in guc.h.`
`773`	`783`	`*/`
`774`		`-if (source==PGC_S_TEST)`
	`784`	`+`
	`785`	`+/* Look up the username */`
	`786`	`+roleTup=SearchSysCache1(AUTHNAME,PointerGetDatum(*newval));`
	`787`	`+if (!HeapTupleIsValid(roleTup))`
`775`	`788`	`{`
`776`		`-ereport(NOTICE,`
`777`		`-(errcode(ERRCODE_UNDEFINED_OBJECT),`
`778`		`-errmsg("role \"%s\" does not exist",*newval)));`
`779`		`-return true;`
	`789`	`+if (source==PGC_S_TEST)`
	`790`	`+{`
	`791`	`+ereport(NOTICE,`
	`792`	`+(errcode(ERRCODE_UNDEFINED_OBJECT),`
	`793`	`+errmsg("role \"%s\" does not exist",*newval)));`
	`794`	`+return true;`
	`795`	`+}`
	`796`	`+GUC_check_errmsg("role \"%s\" does not exist",*newval);`
	`797`	`+return false;`
`780`	`798`	`}`
`781`		`-GUC_check_errmsg("role \"%s\" does not exist",*newval);`
`782`		`-return false;`
`783`		`-}`
`784`	`799`
`785`		`-roleform= (Form_pg_authid)GETSTRUCT(roleTup);`
`786`		`-roleid=roleform->oid;`
`787`		`-is_superuser=roleform->rolsuper;`
	`800`	`+roleform= (Form_pg_authid)GETSTRUCT(roleTup);`
	`801`	`+roleid=roleform->oid;`
	`802`	`+is_superuser=roleform->rolsuper;`
`788`	`803`
`789`		`-ReleaseSysCache(roleTup);`
	`804`	`+ReleaseSysCache(roleTup);`
	`805`	`+`
	`806`	`+/*`
	`807`	`+ * Only superusers may SET SESSION AUTHORIZATION a role other than`
	`808`	`+ * itself. Note that in case of multiple SETs in a single session, the`
	`809`	`+ * original authenticated user's superuserness is what matters.`
	`810`	`+ */`
	`811`	`+if (roleid!=GetAuthenticatedUserId()&&`
	`812`	`+!GetAuthenticatedUserIsSuperuser())`
	`813`	`+{`
	`814`	`+if (source==PGC_S_TEST)`
	`815`	`+{`
	`816`	`+ereport(NOTICE,`
	`817`	`+(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),`
	`818`	`+errmsg("permission will be denied to set session authorization \"%s\"",`
	`819`	`+*newval)));`
	`820`	`+return true;`
	`821`	`+}`
	`822`	`+GUC_check_errcode(ERRCODE_INSUFFICIENT_PRIVILEGE);`
	`823`	`+GUC_check_errmsg("permission denied to set session authorization \"%s\"",`
	`824`	`+*newval);`
	`825`	`+return false;`
	`826`	`+}`
	`827`	`+}`
`790`	`828`
`791`	`829`	`/* Set up "extra" struct for assign_session_authorization to use */`
`792`	`830`	`myextra= (role_auth_extra*)malloc(sizeof(role_auth_extra));`
`@@ -836,6 +874,16 @@ check_role(char newval, void extra, GucSource source)`
`836`	`874`	`roleid=InvalidOid;`
`837`	`875`	`is_superuser= false;`
`838`	`876`	`}`
	`877`	`+elseif (InitializingParallelWorker)`
	`878`	`+{`
	`879`	`+/*`
	`880`	`+ * In parallel worker initialization, we want to copy the leader's`
	`881`	`+ * state even if it no longer matches the catalogs. ParallelWorkerMain`
	`882`	`+ * already installed the correct role OID and superuser state.`
	`883`	`+ */`
	`884`	`+roleid=GetCurrentRoleId();`
	`885`	`+is_superuser=session_auth_is_superuser;`
	`886`	`+}`
`839`	`887`	`else`
`840`	`888`	`{`
`841`	`889`	`if (!IsTransactionState())`
`@@ -875,13 +923,8 @@ check_role(char newval, void extra, GucSource source)`
`875`	`923`
`876`	`924`	`ReleaseSysCache(roleTup);`
`877`	`925`
`878`		`-/*`
`879`		`- * Verify that session user is allowed to become this role, but skip`
`880`		`- * this in parallel mode, where we must blindly recreate the parallel`
`881`		`- * leader's state.`
`882`		`- */`
`883`		`-if (!InitializingParallelWorker&&`
`884`		`-!is_member_of_role(GetSessionUserId(),roleid))`
	`926`	`+/* Verify that session user is allowed to become this role */`
	`927`	`+if (!is_member_of_role(GetSessionUserId(),roleid))`
`885`	`928`	`{`
`886`	`929`	`if (source==PGC_S_TEST)`
`887`	`930`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit76123de

File tree

7 files changed

7 files changed

`‎src/backend/access/transam/parallel.c`

`‎src/backend/commands/variable.c`

0 commit comments