forked frompostgres/postgres
- Notifications
You must be signed in to change notification settings - Fork6
Commitdc73787
committed
Parallel workers use AuthenticatedUserId for connection privilege checks.
Commit5a2fed9 had an unexpected side-effect: the parallel workerlaunched for the new test case would fail if it couldn't use asuperuser-reserved connection slot. The reason that test failedwhile all our pre-existing ones worked is that the connectionprivilege tests in InitPostgres had been based on the superusernessof the leader's AuthenticatedUserId, but after the rearrangementsof5a2fed9 we were testing the superuserness of CurrentUserId,which the new test case deliberately made to be a non-superuser.This all seems very accidental and probably not the behavior we reallywant, but a security patch is no time to be redesigning things.Pending some discussion about desirable semantics, hack it so thatInitPostgres continues to pay attention to the superuserness ofAuthenticatedUserId when starting a parallel worker.Nathan Bossart and Tom Lane, per buildfarm member sawshark.Security:CVE-2024-109781 parent0bd9560 commitdc73787
1 file changed
+18
-1
lines changedLines changed: 18 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
| 25 | + | |
25 | 26 | | |
26 | 27 | | |
27 | 28 | | |
| |||
762 | 763 | | |
763 | 764 | | |
764 | 765 | | |
765 | | - | |
| 766 | + | |
| 767 | + | |
| 768 | + | |
| 769 | + | |
| 770 | + | |
| 771 | + | |
| 772 | + | |
| 773 | + | |
| 774 | + | |
| 775 | + | |
| 776 | + | |
| 777 | + | |
| 778 | + | |
| 779 | + | |
| 780 | + | |
| 781 | + | |
| 782 | + | |
766 | 783 | | |
767 | 784 | | |
768 | 785 | | |
| |||
0 commit comments
Comments
(0)