NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commita0363ab

committed

Fix privilege check for SET SESSION AUTHORIZATION.

Presently, the privilege check for SET SESSION AUTHORIZATION checkswhether the original authenticated role was a superuser atconnection start time. Even if the role loses the superuserattribute, its existing sessions are permitted to change sessionauthorization to any role.This commit modifies this privilege check to verify the originalauthenticated role currently has superuser. In the event that theauthenticated role loses superuser within a session authorizationchange, the authorization change will remain in effect, which meansthe user can still take advantage of the target role's privileges.However, [RE]SET SESSION AUTHORIZATION will only permit switchingto the original authenticated role.Author: Joseph KoshakowDiscussion:https://postgr.es/m/CAAvxfHc-HHzONQ2oXdvhFF9ayRnidPwK%2BfVBhRzaBWYYLVQL-g%40mail.gmail.com

1 parent9987a7b commita0363abCopy full SHA for a0363ab

File tree

4 files changed

+10

-23

lines changed

doc/src/sgml/ref
- set_session_auth.sgml
src
- backend
  - commands
    - variable.c
  - utils/init
    - miscinit.c
- include
  - miscadmin.h

4 files changed

+10

-23

lines changed

`‎doc/src/sgml/ref/set_session_auth.sgml`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ RESET SESSION AUTHORIZATION`
`51`	`51`
`52`	`52`	`<para>`
`53`	`53`	`The session user identifier can be changed only if the initial session`
`54`		`- user (the <firstterm>authenticated user</firstterm>)had the`
	`54`	`+ user (the <firstterm>authenticated user</firstterm>)has the`
`55`	`55`	`superuser privilege. Otherwise, the command is accepted only if it`
`56`	`56`	`specifies the authenticated user name.`
`57`	`57`	`</para>`

`‎src/backend/commands/variable.c`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -854,7 +854,7 @@ check_session_authorization(char newval, void extra, GucSource source)`
`854`	`854`	`* authenticated user's superuserness is what matters.`
`855`	`855`	`*/`
`856`	`856`	`if (roleid!=GetAuthenticatedUserId()&&`
`857`		`-!GetAuthenticatedUserIsSuperuser())`
	`857`	`+!superuser_arg(GetAuthenticatedUserId()))`
`858`	`858`	`{`
`859`	`859`	`if (source==PGC_S_TEST)`
`860`	`860`	`{`

`‎src/backend/utils/init/miscinit.c`

Lines changed: 8 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -467,8 +467,8 @@ ChangeToDataDir(void)`
`467`	`467`	`* AuthenticatedUserId is determined at connection start and never changes.`
`468`	`468`	`*`
`469`	`469`	`* SessionUserId is initially the same as AuthenticatedUserId, but can be`
`470`		`- * changed by SET SESSION AUTHORIZATION (ifAuthenticatedUserIsSuperuser).`
`471`		`- * This is the ID reported by the SESSION_USER SQL function.`
	`470`	`+ * changed by SET SESSION AUTHORIZATION (ifAuthenticatedUserId is a`
	`471`	`+ *superuser).This is the ID reported by the SESSION_USER SQL function.`
`472`	`472`	`*`
`473`	`473`	`* OuterUserId is the current user ID in effect at the "outer level" (outside`
`474`	`474`	`* any transaction or function). This is initially the same as SessionUserId,`
`@@ -492,8 +492,7 @@ static OidOuterUserId = InvalidOid;`
`492`	`492`	`staticOidCurrentUserId=InvalidOid;`
`493`	`493`	`staticconstchar*SystemUser=NULL;`
`494`	`494`
`495`		`-/* We also have to remember the superuser state of some of these levels */`
`496`		`-staticboolAuthenticatedUserIsSuperuser= false;`
	`495`	`+/* We also have to remember the superuser state of the session user */`
`497`	`496`	`staticboolSessionUserIsSuperuser= false;`
`498`	`497`
`499`	`498`	`staticintSecurityRestrictionContext=0;`
`@@ -582,16 +581,6 @@ GetAuthenticatedUserId(void)`
`582`	`581`	`returnAuthenticatedUserId;`
`583`	`582`	`}`
`584`	`583`
`585`		`-/*`
`586`		`- * Return whether the authenticated user was superuser at connection start.`
`587`		`- */`
`588`		`-bool`
`589`		`-GetAuthenticatedUserIsSuperuser(void)`
`590`		`-{`
`591`		`-Assert(OidIsValid(AuthenticatedUserId));`
`592`		`-returnAuthenticatedUserIsSuperuser;`
`593`		`-}`
`594`		`-`
`595`	`584`
`596`	`585`	`/*`
`597`	`586`	`* GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID`
`@@ -741,6 +730,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid)`
`741`	`730`	`HeapTupleroleTup;`
`742`	`731`	`Form_pg_authidrform;`
`743`	`732`	`char*rname;`
	`733`	`+boolis_superuser;`
`744`	`734`
`745`	`735`	`/*`
`746`	`736`	`* Don't do scans if we're bootstrapping, none of the system catalogs`
`@@ -780,10 +770,10 @@ InitializeSessionUserId(const char *rolename, Oid roleid)`
`780`	`770`	`rname=NameStr(rform->rolname);`
`781`	`771`
`782`	`772`	`AuthenticatedUserId=roleid;`
`783`		`-AuthenticatedUserIsSuperuser=rform->rolsuper;`
	`773`	`+is_superuser=rform->rolsuper;`
`784`	`774`
`785`	`775`	`/* This sets OuterUserId/CurrentUserId too */`
`786`		`-SetSessionUserId(roleid,AuthenticatedUserIsSuperuser);`
	`776`	`+SetSessionUserId(roleid,is_superuser);`
`787`	`777`
`788`	`778`	`/* Also mark our PGPROC entry with the authenticated user id */`
`789`	`779`	`/* (We assume this is an atomic store so no lock is needed) */`
`@@ -816,7 +806,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid)`
`816`	`806`	`* just document that the connection limit is approximate.`
`817`	`807`	`*/`
`818`	`808`	`if (rform->rolconnlimit >=0&&`
`819`		`-!AuthenticatedUserIsSuperuser&&`
	`809`	`+!is_superuser&&`
`820`	`810`	`CountUserBackends(roleid)>rform->rolconnlimit)`
`821`	`811`	`ereport(FATAL,`
`822`	`812`	`(errcode(ERRCODE_TOO_MANY_CONNECTIONS),`
`@@ -828,7 +818,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid)`
`828`	`818`	`SetConfigOption("session_authorization",rname,`
`829`	`819`	`PGC_BACKEND,PGC_S_OVERRIDE);`
`830`	`820`	`SetConfigOption("is_superuser",`
`831`		`-AuthenticatedUserIsSuperuser ?"on" :"off",`
	`821`	`+is_superuser ?"on" :"off",`
`832`	`822`	`PGC_INTERNAL,PGC_S_DYNAMIC_DEFAULT);`
`833`	`823`
`834`	`824`	`ReleaseSysCache(roleTup);`
`@@ -851,8 +841,6 @@ InitializeSessionUserIdStandalone(void)`
`851`	`841`	`Assert(!OidIsValid(AuthenticatedUserId));`
`852`	`842`
`853`	`843`	`AuthenticatedUserId=BOOTSTRAP_SUPERUSERID;`
`854`		`-AuthenticatedUserIsSuperuser= true;`
`855`		`-`
`856`	`844`	`SetSessionUserId(BOOTSTRAP_SUPERUSERID, true);`
`857`	`845`	`}`
`858`	`846`

`‎src/include/miscadmin.h`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -357,7 +357,6 @@ extern OidGetUserId(void);`
`357`	`357`	`externOidGetOuterUserId(void);`
`358`	`358`	`externOidGetSessionUserId(void);`
`359`	`359`	`externOidGetAuthenticatedUserId(void);`
`360`		`-externboolGetAuthenticatedUserIsSuperuser(void);`
`361`	`360`	`externvoidGetUserIdAndSecContext(Oiduserid,intsec_context);`
`362`	`361`	`externvoidSetUserIdAndSecContext(Oiduserid,intsec_context);`
`363`	`362`	`externboolInLocalUserIdChange(void);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita0363ab

File tree

4 files changed

4 files changed

`‎doc/src/sgml/ref/set_session_auth.sgml`

`‎src/backend/commands/variable.c`

`‎src/backend/utils/init/miscinit.c`

`‎src/include/miscadmin.h`

0 commit comments