database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-14 18:42:34 +03:00
Code Activity

Make REPLICATION privilege checks test current user not authenticated user.

Browse Source 
The pg_start_backup() and pg_stop_backup() functions checked the privileges
of the initially-authenticated user rather than the current user, which is
wrong.  For example, a user-defined index function could successfully call
these functions when executed by ANALYZE within autovacuum.  This could
allow an attacker with valid but low-privilege database access to interfere
with creation of routine backups.  Reported and fixed by Noah Misch.

Security: CVE-2013-1901
This commit is contained in:
Tom Lane
2013-04-01 13:09:35 -04:00
parent 54d4a8f023
commit b403f4107b
4 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/access/transam/xlog.c
View File

@ -8982,7 +8982,7 @@ do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile)
FILE *fp; FILE *fp;
StringInfoData labelfbuf; StringInfoData labelfbuf;
if (!superuser() && !is_authenticated_user_replication_role()) if (!superuser() && !has_rolreplication(GetUserId()))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser or replication role to run a backup"))); errmsg("must be superuser or replication role to run a backup")));
@ -9261,7 +9261,7 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive)
bool reported_waiting = false; bool reported_waiting = false;
char *remaining; char *remaining;
if (!superuser() && !is_authenticated_user_replication_role()) if (!superuser() && !has_rolreplication(GetUserId()))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
(errmsg("must be superuser or replication role to run a backup")))); (errmsg("must be superuser or replication role to run a backup"))));

6
src/backend/utils/init/miscinit.c
View File

@ -389,15 +389,15 @@ SetUserIdAndContext(Oid userid, bool sec_def_context)
/* /*
* Check if the authenticated user is a replication role * Check whether specified role has explicit REPLICATION privilege
*/ */
bool bool
is_authenticated_user_replication_role(void) has_rolreplication(Oid roleid)
{ {
bool result = false; bool result = false;
HeapTuple utup; HeapTuple utup;
utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(AuthenticatedUserId)); utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
if (HeapTupleIsValid(utup)) if (HeapTupleIsValid(utup))
{ {
result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication; result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;

2
src/backend/utils/init/postinit.c
View File

@ -669,7 +669,7 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
Assert(!bootstrap); Assert(!bootstrap);
/* must have authenticated as a replication role */ /* must have authenticated as a replication role */
if (!is_authenticated_user_replication_role()) if (!has_rolreplication(GetUserId()))
ereport(FATAL, ereport(FATAL,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be replication role to start walsender"))); errmsg("must be replication role to start walsender")));

2
src/include/miscadmin.h
View File

@ -395,7 +395,7 @@ extern void ValidatePgVersion(const char *path);
extern void process_shared_preload_libraries(void); extern void process_shared_preload_libraries(void);
extern void process_local_preload_libraries(void); extern void process_local_preload_libraries(void);
extern void pg_bindtextdomain(const char *domain); extern void pg_bindtextdomain(const char *domain);
extern bool is_authenticated_user_replication_role(void); extern bool has_rolreplication(Oid roleid);
/* in access/transam/xlog.c */ /* in access/transam/xlog.c */
extern bool BackupInProgress(void); extern bool BackupInProgress(void);