Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitfea164a

Browse files
committed
Shore up ADMIN OPTION restrictions.
Granting a role without ADMIN OPTION is supposed to prevent the granteefrom adding or removing members from the granted role. Issuing SET ROLEbefore the GRANT bypassed that, because the role itself had an implicitright to add or remove members. Plug that hole by recognizing thatimplicit right only when the session user matches the current role.Additionally, do not recognize it during a security-restricted operationor during execution of a SECURITY DEFINER function. The restriction onSECURITY DEFINER is not security-critical. However, it seems best for auser testing his own SECURITY DEFINER function to see the same behaviorothers will see. Back-patch to 8.4 (all supported versions).The SQL standards do not conflate roles and users as PostgreSQL does;only SQL roles have members, and only SQL users initiate sessions. Anapplication using PostgreSQL users and roles as SQL users and roles willnever attempt to grant membership in the role that is the session user,so the implicit right to add or remove members will never arise.The security impact was mostly that a role member could revoke accessfrom others, contrary to the wishes of his own grantor. Unapproved rolemember additions are less notable, because the member can still largelyachieve that by creating a view or a SECURITY DEFINER function.Reviewed by Andres Freund and Tom Lane. Reported, independently, byJonas Sundman and Noah Misch.Security:CVE-2014-0060
1 parent0983315 commitfea164a

File tree

5 files changed

+120
-18
lines changed

5 files changed

+120
-18
lines changed

‎doc/src/sgml/ref/grant.sgml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -395,11 +395,13 @@ GRANT <replaceable class="PARAMETER">role_name</replaceable> [, ...] TO <replace
395395
<para>
396396
If <literal>WITH ADMIN OPTION</literal> is specified, the member can
397397
in turn grant membership in the role to others, and revoke membership
398-
in the role as well. Without the admin option, ordinary users cannot do
399-
that. However,
400-
database superusers can grant or revoke membership in any role to anyone.
401-
Roles having <literal>CREATEROLE</> privilege can grant or revoke
402-
membership in any role that is not a superuser.
398+
in the role as well. Without the admin option, ordinary users cannot
399+
do that. A role is not considered to hold <literal>WITH ADMIN
400+
OPTION</literal> on itself, but it may grant or revoke membership in
401+
itself from a database session where the session user matches the
402+
role. Database superusers can grant or revoke membership in any role
403+
to anyone. Roles having <literal>CREATEROLE</> privilege can grant
404+
or revoke membership in any role that is not a superuser.
403405
</para>
404406

405407
<para>

‎src/backend/commands/user.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1366,7 +1366,16 @@ AddRoleMems(const char *rolename, Oid roleid,
13661366
rolename)));
13671367
}
13681368

1369-
/* XXX not sure about this check */
1369+
/*
1370+
* The role membership grantor of record has little significance at
1371+
* present. Nonetheless, inasmuch as users might look to it for a crude
1372+
* audit trail, let only superusers impute the grant to a third party.
1373+
*
1374+
* Before lifting this restriction, give the member == role case of
1375+
* is_admin_of_role() a fresh look. Ensure that the current role cannot
1376+
* use an explicit grantor specification to take advantage of the session
1377+
* user's self-admin right.
1378+
*/
13701379
if (grantorId!=GetUserId()&& !superuser())
13711380
ereport(ERROR,
13721381
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),

‎src/backend/utils/adt/acl.c

Lines changed: 40 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4582,6 +4582,11 @@ pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode)
45824582
{
45834583
if (mode&ACL_GRANT_OPTION_FOR(ACL_CREATE))
45844584
{
4585+
/*
4586+
* XXX For roleid == role_oid, is_admin_of_role() also examines the
4587+
* session and call stack. That suits two-argument pg_has_role(), but
4588+
* it gives the three-argument version a lamentable whimsy.
4589+
*/
45854590
if (is_admin_of_role(roleid,role_oid))
45864591
returnACLCHECK_OK;
45874592
}
@@ -4899,11 +4904,9 @@ is_member_of_role_nosuper(Oid member, Oid role)
48994904

49004905

49014906
/*
4902-
* Is member an admin of role (directly or indirectly)? That is, is it
4903-
* a member WITH ADMIN OPTION?
4904-
*
4905-
* We could cache the result as for is_member_of_role, but currently this
4906-
* is not used in any performance-critical paths, so we don't.
4907+
* Is member an admin of role? That is, is member the role itself (subject to
4908+
* restrictions below), a member (directly or indirectly) WITH ADMIN OPTION,
4909+
* or a superuser?
49074910
*/
49084911
bool
49094912
is_admin_of_role(Oidmember,Oidrole)
@@ -4912,14 +4915,41 @@ is_admin_of_role(Oid member, Oid role)
49124915
List*roles_list;
49134916
ListCell*l;
49144917

4915-
/* Fast path for simple case */
4916-
if (member==role)
4917-
return true;
4918-
4919-
/* Superusers have every privilege, so are part of every role */
49204918
if (superuser_arg(member))
49214919
return true;
49224920

4921+
if (member==role)
4922+
/*
4923+
* A role can admin itself when it matches the session user and we're
4924+
* outside any security-restricted operation, SECURITY DEFINER or
4925+
* similar context. SQL-standard roles cannot self-admin. However,
4926+
* SQL-standard users are distinct from roles, and they are not
4927+
* grantable like roles: PostgreSQL's role-user duality extends the
4928+
* standard. Checking for a session user match has the effect of
4929+
* letting a role self-admin only when it's conspicuously behaving
4930+
* like a user. Note that allowing self-admin under a mere SET ROLE
4931+
* would make WITH ADMIN OPTION largely irrelevant; any member could
4932+
* SET ROLE to issue the otherwise-forbidden command.
4933+
*
4934+
* Withholding self-admin in a security-restricted operation prevents
4935+
* object owners from harnessing the session user identity during
4936+
* administrative maintenance. Suppose Alice owns a database, has
4937+
* issued "GRANT alice TO bob", and runs a daily ANALYZE. Bob creates
4938+
* an alice-owned SECURITY DEFINER function that issues "REVOKE alice
4939+
* FROM carol". If he creates an expression index calling that
4940+
* function, Alice will attempt the REVOKE during each ANALYZE.
4941+
* Checking InSecurityRestrictedOperation() thwarts that attack.
4942+
*
4943+
* Withholding self-admin in SECURITY DEFINER functions makes their
4944+
* behavior independent of the calling user. There's no security or
4945+
* SQL-standard-conformance need for that restriction, though.
4946+
*
4947+
* A role cannot have actual WITH ADMIN OPTION on itself, because that
4948+
* would imply a membership loop. Therefore, we're done either way.
4949+
*/
4950+
returnmember==GetSessionUserId()&&
4951+
!InLocalUserIdChange()&& !InSecurityRestrictedOperation();
4952+
49234953
/*
49244954
* Find all the roles that member is a member of, including multi-level
49254955
* recursion. We build a list in the same way that is_member_of_role does

‎src/test/regress/expected/privileges.out

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ ALTER GROUP regressgroup1 ADD USER regressuser4;
3232
ALTER GROUP regressgroup2 ADD USER regressuser2;-- duplicate
3333
NOTICE: role "regressuser2" is already a member of role "regressgroup2"
3434
ALTER GROUP regressgroup2 DROP USER regressuser2;
35-
ALTER GROUPregressgroup2ADD USERregressuser4;
35+
GRANTregressgroup2TOregressuser4 WITH ADMIN OPTION;
3636
-- test owner privileges
3737
SET SESSION AUTHORIZATION regressuser1;
3838
SELECT session_user, current_user;
@@ -948,6 +948,40 @@ SELECT has_table_privilege('regressuser1', 'atest4', 'SELECT WITH GRANT OPTION')
948948
t
949949
(1 row)
950950

951+
-- Admin options
952+
SET SESSION AUTHORIZATION regressuser4;
953+
CREATE FUNCTION dogrant_ok() RETURNS void LANGUAGE sql SECURITY DEFINER AS
954+
'GRANT regressgroup2 TO regressuser5';
955+
GRANT regressgroup2 TO regressuser5; -- ok: had ADMIN OPTION
956+
SET ROLE regressgroup2;
957+
GRANT regressgroup2 TO regressuser5; -- fails: SET ROLE suspended privilege
958+
ERROR: must have admin option on role "regressgroup2"
959+
SET SESSION AUTHORIZATION regressuser1;
960+
GRANT regressgroup2 TO regressuser5; -- fails: no ADMIN OPTION
961+
ERROR: must have admin option on role "regressgroup2"
962+
SELECT dogrant_ok();-- ok: SECURITY DEFINER conveys ADMIN
963+
NOTICE: role "regressuser5" is already a member of role "regressgroup2"
964+
CONTEXT: SQL function "dogrant_ok" statement 1
965+
dogrant_ok
966+
------------
967+
968+
(1 row)
969+
970+
SET ROLE regressgroup2;
971+
GRANT regressgroup2 TO regressuser5; -- fails: SET ROLE did not help
972+
ERROR: must have admin option on role "regressgroup2"
973+
SET SESSION AUTHORIZATION regressgroup2;
974+
GRANT regressgroup2 TO regressuser5; -- ok: a role can self-admin
975+
NOTICE: role "regressuser5" is already a member of role "regressgroup2"
976+
CREATE FUNCTION dogrant_fails() RETURNS void LANGUAGE sql SECURITY DEFINER AS
977+
'GRANT regressgroup2 TO regressuser5';
978+
SELECT dogrant_fails();-- fails: no self-admin in SECURITY DEFINER
979+
ERROR: must have admin option on role "regressgroup2"
980+
CONTEXT: SQL function "dogrant_fails" statement 1
981+
DROP FUNCTION dogrant_fails();
982+
SET SESSION AUTHORIZATION regressuser4;
983+
DROP FUNCTION dogrant_ok();
984+
REVOKE regressgroup2 FROM regressuser5;
951985
-- has_sequence_privilege tests
952986
\c -
953987
CREATE SEQUENCE x_seq;

‎src/test/regress/sql/privileges.sql

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ ALTER GROUP regressgroup1 ADD USER regressuser4;
3737

3838
ALTERGROUP regressgroup2 ADD USER regressuser2;-- duplicate
3939
ALTERGROUP regressgroup2 DROP USER regressuser2;
40-
ALTERGROUPregressgroup2ADD USERregressuser4;
40+
GRANTregressgroup2TOregressuser4 WITH ADMIN OPTION;
4141

4242
-- test owner privileges
4343

@@ -599,6 +599,33 @@ SELECT has_table_privilege('regressuser3', 'atest4', 'SELECT'); -- false
599599
SELECT has_table_privilege('regressuser1','atest4','SELECT WITH GRANT OPTION');-- true
600600

601601

602+
-- Admin options
603+
604+
SET SESSION AUTHORIZATION regressuser4;
605+
CREATEFUNCTIONdogrant_ok() RETURNS void LANGUAGE sql SECURITY DEFINERAS
606+
'GRANT regressgroup2 TO regressuser5';
607+
GRANT regressgroup2 TO regressuser5;-- ok: had ADMIN OPTION
608+
SET ROLE regressgroup2;
609+
GRANT regressgroup2 TO regressuser5;-- fails: SET ROLE suspended privilege
610+
611+
SET SESSION AUTHORIZATION regressuser1;
612+
GRANT regressgroup2 TO regressuser5;-- fails: no ADMIN OPTION
613+
SELECT dogrant_ok();-- ok: SECURITY DEFINER conveys ADMIN
614+
SET ROLE regressgroup2;
615+
GRANT regressgroup2 TO regressuser5;-- fails: SET ROLE did not help
616+
617+
SET SESSION AUTHORIZATION regressgroup2;
618+
GRANT regressgroup2 TO regressuser5;-- ok: a role can self-admin
619+
CREATEFUNCTIONdogrant_fails() RETURNS void LANGUAGE sql SECURITY DEFINERAS
620+
'GRANT regressgroup2 TO regressuser5';
621+
SELECT dogrant_fails();-- fails: no self-admin in SECURITY DEFINER
622+
DROPFUNCTION dogrant_fails();
623+
624+
SET SESSION AUTHORIZATION regressuser4;
625+
DROPFUNCTION dogrant_ok();
626+
REVOKE regressgroup2FROM regressuser5;
627+
628+
602629
-- has_sequence_privilege tests
603630
\c-
604631

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp