NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit7854127

committed

Ban role pg_signal_backend from more superuser backend types.

Documentation says it cannot signal "a backend owned by a superuser".On the contrary, it could signal background workers, including thelogical replication launcher. It could signal autovacuum workers andthe autovacuum launcher. Block all that. Signaling autovacuum workersand those two launchers doesn't stall progress beyond what one couldachieve other ways. If a cluster uses a non-core extension with abackground worker that does not auto-restart, this could create a denialof service with respect to that background worker. A background workerwith bugs in its code for responding to terminations or cancellationscould experience those bugs at a time the pg_signal_backend memberchooses. Back-patch to v11 (all supported versions).Reviewed by Jelte Fennema-Nio. Reported by Hemanth Sandrana andMahendrakar Srinivasarao.Security:CVE-2023-5870

1 parentb122776 commit7854127Copy full SHA for 7854127

File tree

3 files changed

+40

-2

lines changed

src
- backend/storage/ipc
  - signalfuncs.c
- test/regress
  - expected
    - privileges.out
  - sql
    - privileges.sql

3 files changed

+40

-2

lines changed

`‎src/backend/storage/ipc/signalfuncs.c`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -74,8 +74,13 @@ pg_signal_backend(int pid, int sig)`
`74`	`74`	`returnSIGNAL_BACKEND_ERROR;`
`75`	`75`	`}`
`76`	`76`
`77`		`-/* Only allow superusers to signal superuser-owned backends. */`
`78`		`-if (superuser_arg(proc->roleId)&& !superuser())`
	`77`	`+/*`
	`78`	`+ * Only allow superusers to signal superuser-owned backends. Any process`
	`79`	`+ * not advertising a role might have the importance of a superuser-owned`
	`80`	`+ * backend, so treat it that way.`
	`81`	`+ */`
	`82`	`+if ((!OidIsValid(proc->roleId)\|\|superuser_arg(proc->roleId))&&`
	`83`	`+!superuser())`
`79`	`84`	`returnSIGNAL_BACKEND_NOSUPERUSER;`
`80`	`85`
`81`	`86`	`/* Users can signal backends they have role membership in. */`

`‎src/test/regress/expected/privileges.out`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2083,6 +2083,24 @@ SELECT * FROM pg_largeobject LIMIT 0;`
`2083`	`2083`	`SET SESSION AUTHORIZATION regress_priv_user1;`
`2084`	`2084`	`SELECT * FROM pg_largeobject LIMIT 0;-- to be denied`
`2085`	`2085`	`ERROR: permission denied for table pg_largeobject`
	`2086`	`+-- pg_signal_backend can't signal superusers`
	`2087`	`+RESET SESSION AUTHORIZATION;`
	`2088`	`+BEGIN;`
	`2089`	`+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool`
	`2090`	`+LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$`
	`2091`	`+BEGIN`
	`2092`	`+RETURN pg_terminate_backend($1);`
	`2093`	`+EXCEPTION WHEN OTHERS THEN`
	`2094`	`+RETURN false;`
	`2095`	`+END$$;`
	`2096`	`+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;`
	`2097`	`+SELECT backend_type FROM pg_stat_activity`
	`2098`	`+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;`
	`2099`	`+ backend_type`
	`2100`	`+--------------`
	`2101`	`+(0 rows)`
	`2102`	`+`
	`2103`	`+ROLLBACK;`
`2086`	`2104`	`-- test pg_database_owner`
`2087`	`2105`	`RESET SESSION AUTHORIZATION;`
`2088`	`2106`	`GRANT pg_database_owner TO regress_priv_user1;`

`‎src/test/regress/sql/privileges.sql`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1349,6 +1349,21 @@ SELECT * FROM pg_largeobject LIMIT 0;`
`1349`	`1349`	`SET SESSION AUTHORIZATION regress_priv_user1;`
`1350`	`1350`	`SELECT*FROM pg_largeobjectLIMIT0;-- to be denied`
`1351`	`1351`
	`1352`	`+-- pg_signal_backend can't signal superusers`
	`1353`	`+RESET SESSION AUTHORIZATION;`
	`1354`	`+BEGIN;`
	`1355`	`+CREATE OR REPLACEFUNCTIONterminate_nothrow(pidint) RETURNS bool`
	`1356`	`+LANGUAGE plpgsql SECURITY DEFINERSET client_min_messages= errorAS $$`
	`1357`	`+BEGIN`
	`1358`	`+RETURN pg_terminate_backend($1);`
	`1359`	`+EXCEPTION WHEN OTHERS THEN`
	`1360`	`+RETURN false;`
	`1361`	`+END$$;`
	`1362`	`+ALTERFUNCTION terminate_nothrow OWNER TO pg_signal_backend;`
	`1363`	`+SELECT backend_typeFROM pg_stat_activity`
	`1364`	`+WHERE CASE WHEN COALESCE(usesysid,10)=10 THEN terminate_nothrow(pid) END;`
	`1365`	`+ROLLBACK;`
	`1366`	`+`
`1352`	`1367`	`-- test pg_database_owner`
`1353`	`1368`	`RESET SESSION AUTHORIZATION;`
`1354`	`1369`	`GRANT pg_database_owner TO regress_priv_user1;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7854127

File tree

3 files changed

3 files changed

`‎src/backend/storage/ipc/signalfuncs.c`

`‎src/test/regress/expected/privileges.out`

`‎src/test/regress/sql/privileges.sql`

0 commit comments