database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-08 22:02:03 +03:00
Code

Again match pg_user_mappings to information_schema.user_mapping_options.

Browse Source 
Commit 3eefc51053f250837c3115c12f8119d16881a2d7 claimed to make
pg_user_mappings enforce the qualifications user_mapping_options had
been enforcing, but its removal of a longstanding restriction left them
distinct when the current user is the subject of a mapping yet has no
server privileges.  user_mapping_options emits no rows for such a
mapping, but pg_user_mappings includes full umoptions.  Change
pg_user_mappings to show null for umoptions.  Back-patch to 9.2, like
the above commit.

Reviewed by Tom Lane.  Reported by Jeff Janes.

Security: CVE-2017-7547
This commit is contained in:
Noah Misch 2017-08-07 07:09:28 -07:00
parent d5d46d99ba
commit b6e39ca92e
5 changed files with 57 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
doc/src/sgml/catalogs.sgml
View File

@ -9418,17 +9418,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry><type>text[]</type></entry> <entry><type>text[]</type></entry>
<entry></entry> <entry></entry>
<entry> <entry>
User mapping specific options, as <quote>keyword=value</> User mapping specific options, as <quote>keyword=value</> strings
strings. This column will show as null unless the current user
is the user being mapped, or the mapping is for
<literal>PUBLIC</literal> and the current user is the server
owner, or the current user is a superuser. The intent is
to protect password information stored as user mapping option.
</entry> </entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>
<para>
To protect password information stored as a user mapping option,
the <structfield>umoptions</structfield> column will read as null
unless one of the following applies:
<itemizedlist>
<listitem>
<para>
current user is the user being mapped, and owns the server or
holds <literal>USAGE</> privilege on it
</para>
</listitem>
<listitem>
<para>
current user is the server owner and mapping is for <literal>PUBLIC</>
</para>
</listitem>
<listitem>
<para>
current user is a superuser
</para>
</listitem>
</itemizedlist>
</para>
</sect1> </sect1>

4
src/backend/catalog/system_views.sql
View File

@ -725,7 +725,9 @@ CREATE VIEW pg_user_mappings AS
ELSE ELSE
A.rolname A.rolname
END AS usename, END AS usename,
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user) CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
AND (pg_has_role(S.srvowner, 'USAGE')
OR has_server_privilege(S.oid, 'USAGE')))
OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
THEN U.umoptions THEN U.umoptions

32
src/test/regress/expected/foreign_data.out
View File

@ -1140,10 +1140,11 @@ ERROR: permission denied for foreign-data wrapper foo
ALTER SERVER s9 VERSION '1.1'; ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role; GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9; CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE; DROP SERVER s9 CASCADE;
NOTICE: drop cascades to 2 other objects NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for public on server s9 \set VERBOSITY default
drop cascades to user mapping for unprivileged_role on server s9
RESET ROLE; RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo; CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role; GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -1159,13 +1160,14 @@ ERROR: must be owner of foreign server s9
SET ROLE regress_test_role; SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo; CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret'); CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role; CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see option fields -- owner of server can see some option fields
\deu+ \deu+
List of user mappings List of user mappings
Server | User name | FDW Options Server | User name | FDW Options
--------+-------------------+------------------- --------+-------------------+-------------------
s10 | public | ("user" 'secret') s10 | public | ("user" 'secret')
s10 | unprivileged_role |
s4 | foreign_data_user | s4 | foreign_data_user |
s5 | regress_test_role | (modified '1') s5 | regress_test_role | (modified '1')
s6 | regress_test_role | s6 | regress_test_role |
@ -1173,15 +1175,16 @@ GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
s8 | public | s8 | public |
s9 | unprivileged_role | s9 | unprivileged_role |
t1 | public | (modified '1') t1 | public | (modified '1')
(8 rows) (9 rows)
RESET ROLE; RESET ROLE;
-- superuser can see option fields -- superuser can see all option fields
\deu+ \deu+
List of user mappings List of user mappings
Server | User name | FDW Options Server | User name | FDW Options
--------+-------------------+--------------------- --------+-------------------+---------------------
s10 | public | ("user" 'secret') s10 | public | ("user" 'secret')
s10 | unprivileged_role | ("user" 'secret')
s4 | foreign_data_user | s4 | foreign_data_user |
s5 | regress_test_role | (modified '1') s5 | regress_test_role | (modified '1')
s6 | regress_test_role | s6 | regress_test_role |
@ -1189,15 +1192,16 @@ RESET ROLE;
s8 | public | s8 | public |
s9 | unprivileged_role | s9 | unprivileged_role |
t1 | public | (modified '1') t1 | public | (modified '1')
(8 rows) (9 rows)
-- unprivileged user cannot see option fields -- unprivileged user cannot see any option field
SET ROLE unprivileged_role; SET ROLE unprivileged_role;
\deu+ \deu+
List of user mappings List of user mappings
Server | User name | FDW Options Server | User name | FDW Options
--------+-------------------+------------- --------+-------------------+-------------
s10 | public | s10 | public |
s10 | unprivileged_role |
s4 | foreign_data_user | s4 | foreign_data_user |
s5 | regress_test_role | s5 | regress_test_role |
s6 | regress_test_role | s6 | regress_test_role |
@ -1205,11 +1209,13 @@ SET ROLE unprivileged_role;
s8 | public | s8 | public |
s9 | unprivileged_role | s9 | unprivileged_role |
t1 | public | t1 | public |
(8 rows) (9 rows)
RESET ROLE; RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE; DROP SERVER s10 CASCADE;
NOTICE: drop cascades to user mapping for public on server s10 NOTICE: drop cascades to 2 other objects
\set VERBOSITY default
-- Triggers -- Triggers
CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$ CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
BEGIN BEGIN
@ -1271,16 +1277,12 @@ owner of user mapping for regress_test_role on server s6
DROP SERVER t1 CASCADE; DROP SERVER t1 CASCADE;
NOTICE: drop cascades to user mapping for public on server t1 NOTICE: drop cascades to user mapping for public on server t1
DROP USER MAPPING FOR regress_test_role SERVER s6; DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse \set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE; DROP FOREIGN DATA WRAPPER foo CASCADE;
NOTICE: drop cascades to 5 other objects NOTICE: drop cascades to 5 other objects
\set VERBOSITY default
DROP SERVER s8 CASCADE; DROP SERVER s8 CASCADE;
NOTICE: drop cascades to 2 other objects NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for foreign_data_user on server s8 \set VERBOSITY default
drop cascades to user mapping for public on server s8
DROP ROLE regress_test_indirect; DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role; DROP ROLE regress_test_role;
DROP ROLE unprivileged_role; -- ERROR DROP ROLE unprivileged_role; -- ERROR

2
src/test/regress/expected/rules.out
View File

@ -2051,7 +2051,7 @@ pg_user_mappings| SELECT u.oid AS umid,
ELSE a.rolname ELSE a.rolname
END AS usename, END AS usename,
CASE CASE
WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper WHEN (((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) AND (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text))) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper
FROM pg_authid FROM pg_authid
WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions
ELSE NULL::text[] ELSE NULL::text[]

17
src/test/regress/sql/foreign_data.sql
View File

@ -459,7 +459,10 @@ CREATE SERVER s10 FOREIGN DATA WRAPPER foo; -- ERROR
ALTER SERVER s9 VERSION '1.1'; ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role; GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9; CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE; DROP SERVER s9 CASCADE;
\set VERBOSITY default
RESET ROLE; RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo; CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role; GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -473,17 +476,19 @@ DROP SERVER s9 CASCADE; -- ERROR
SET ROLE regress_test_role; SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo; CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret'); CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role; CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see option fields -- owner of server can see some option fields
\deu+ \deu+
RESET ROLE; RESET ROLE;
-- superuser can see option fields -- superuser can see all option fields
\deu+ \deu+
-- unprivileged user cannot see option fields -- unprivileged user cannot see any option field
SET ROLE unprivileged_role; SET ROLE unprivileged_role;
\deu+ \deu+
RESET ROLE; RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE; DROP SERVER s10 CASCADE;
\set VERBOSITY default
-- Triggers -- Triggers
CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$ CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
@ -544,12 +549,10 @@ DROP SCHEMA foreign_schema CASCADE;
DROP ROLE regress_test_role; -- ERROR DROP ROLE regress_test_role; -- ERROR
DROP SERVER t1 CASCADE; DROP SERVER t1 CASCADE;
DROP USER MAPPING FOR regress_test_role SERVER s6; DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse \set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE; DROP FOREIGN DATA WRAPPER foo CASCADE;
\set VERBOSITY default
DROP SERVER s8 CASCADE; DROP SERVER s8 CASCADE;
\set VERBOSITY default
DROP ROLE regress_test_indirect; DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role; DROP ROLE regress_test_role;
DROP ROLE unprivileged_role; -- ERROR DROP ROLE unprivileged_role; -- ERROR