database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Again match pg_user_mappings to information_schema.user_mapping_options.

Browse Source 
Commit 3eefc51053 claimed to make
pg_user_mappings enforce the qualifications user_mapping_options had
been enforcing, but its removal of a longstanding restriction left them
distinct when the current user is the subject of a mapping yet has no
server privileges.  user_mapping_options emits no rows for such a
mapping, but pg_user_mappings includes full umoptions.  Change
pg_user_mappings to show null for umoptions.  Back-patch to 9.2, like
the above commit.

Reviewed by Tom Lane.  Reported by Jeff Janes.

Security: CVE-2017-7547
This commit is contained in:
Noah Misch
2017-08-07 07:09:28 -07:00
parent b2f833ea71
commit 5e8e009146
5 changed files with 856 additions and 829 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
doc/src/sgml/catalogs.sgml
View File

@ -9211,17 +9211,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry><type>text[]</type></entry>
<entry></entry>
<entry>
User mapping specific options, as <quote>keyword=value</>
strings. This column will show as null unless the current user
is the user being mapped, or the mapping is for
<literal>PUBLIC</literal> and the current user is the server
owner, or the current user is a superuser. The intent is
to protect password information stored as user mapping option.
User mapping specific options, as <quote>keyword=value</> strings
</entry>
</row>
</tbody>
</tgroup>
</table>
<para>
To protect password information stored as a user mapping option,
the <structfield>umoptions</structfield> column will read as null
unless one of the following applies:
<itemizedlist>
<listitem>
<para>
current user is the user being mapped, and owns the server or
holds <literal>USAGE</> privilege on it
</para>
</listitem>
<listitem>
<para>
current user is the server owner and mapping is for <literal>PUBLIC</>
</para>
</listitem>
<listitem>
<para>
current user is a superuser
</para>
</listitem>
</itemizedlist>
</para>
</sect1>

4
src/backend/catalog/system_views.sql
View File

@ -696,7 +696,9 @@ CREATE VIEW pg_user_mappings AS
ELSE
A.rolname
END AS usename,
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
AND (pg_has_role(S.srvowner, 'USAGE')
OR has_server_privilege(S.oid, 'USAGE')))
OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
THEN U.umoptions

32
src/test/regress/expected/foreign_data.out
View File

@ -1142,10 +1142,11 @@ ERROR: permission denied for foreign-data wrapper foo
ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE;
NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for public on server s9
drop cascades to user mapping for unprivileged_role on server s9
\set VERBOSITY default
RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -1161,13 +1162,14 @@ ERROR: must be owner of foreign server s9
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see some option fields
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+-------------------
s10 | public | ("user" 'secret')
s10 | unprivileged_role |
s4 | foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
@ -1175,15 +1177,16 @@ GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
s8 | public |
s9 | unprivileged_role |
t1 | public | (modified '1')
(8 rows)
(9 rows)
RESET ROLE;
-- superuser can see option fields
-- superuser can see all option fields
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+---------------------
s10 | public | ("user" 'secret')
s10 | unprivileged_role | ("user" 'secret')
s4 | foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
@ -1191,15 +1194,16 @@ RESET ROLE;
s8 | public |
s9 | unprivileged_role |
t1 | public | (modified '1')
(8 rows)
(9 rows)
-- unprivileged user cannot see option fields
-- unprivileged user cannot see any option field
SET ROLE unprivileged_role;
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+-------------
s10 | public |
s10 | unprivileged_role |
s4 | foreign_data_user |
s5 | regress_test_role |
s6 | regress_test_role |
@ -1207,11 +1211,13 @@ SET ROLE unprivileged_role;
s8 | public |
s9 | unprivileged_role |
t1 | public |
(8 rows)
(9 rows)
RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE;
NOTICE: drop cascades to user mapping for public on server s10
NOTICE: drop cascades to 2 other objects
\set VERBOSITY default
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR
ERROR: foreign table "no_table" does not exist
@ -1236,16 +1242,12 @@ owner of user mapping for regress_test_role on server s6
DROP SERVER t1 CASCADE;
NOTICE: drop cascades to user mapping for public on server t1
DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE;
NOTICE: drop cascades to 5 other objects
\set VERBOSITY default
DROP SERVER s8 CASCADE;
NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for foreign_data_user on server s8
drop cascades to user mapping for public on server s8
\set VERBOSITY default
DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role;
DROP ROLE unprivileged_role; -- ERROR

6
src/test/regress/expected/rules.out
View File

@ -1278,7 +1278,7 @@ drop table cchild;
--
SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schema' ORDER BY viewname;
viewname | definition
---------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
iexit | SELECT ih.name, +
| ih.thepath, +
| interpt_pp(ih.thepath, r.thepath) AS exit +
@ -1693,7 +1693,7 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem
| w.replay_location, +
| w.sync_priority, +
| w.sync_state +
| FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, waiting, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port),+
| FROM pg_stat_get_activity(NULL::integer) s(datid, pid, usesysid, application_name, state, query, waiting, xact_start, query_start, backend_start, state_change, client_addr, client_hostname, client_port), +
| pg_authid u, +
| pg_stat_get_wal_senders() w(pid, state, sent_location, write_location, flush_location, replay_location, sync_priority, sync_state) +
| WHERE ((s.usesysid = u.oid) AND (s.pid = w.pid));
@ -2026,7 +2026,7 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem
| ELSE a.rolname +
| END AS usename, +
| CASE +
| WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper +
| WHEN (((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) AND (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text))) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper+
| FROM pg_authid +
| WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions +
| ELSE NULL::text[] +

17
src/test/regress/sql/foreign_data.sql
View File

@ -459,7 +459,10 @@ CREATE SERVER s10 FOREIGN DATA WRAPPER foo; -- ERROR
ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE;
\set VERBOSITY default
RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -473,17 +476,19 @@ DROP SERVER s9 CASCADE; -- ERROR
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see some option fields
\deu+
RESET ROLE;
-- superuser can see option fields
-- superuser can see all option fields
\deu+
-- unprivileged user cannot see option fields
-- unprivileged user cannot see any option field
SET ROLE unprivileged_role;
\deu+
RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE;
\set VERBOSITY default
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR
@ -500,12 +505,10 @@ DROP SCHEMA foreign_schema CASCADE;
DROP ROLE regress_test_role; -- ERROR
DROP SERVER t1 CASCADE;
DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE;
\set VERBOSITY default
DROP SERVER s8 CASCADE;
\set VERBOSITY default
DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role;
DROP ROLE unprivileged_role; -- ERROR