Again match pg_user_mappings to information_schema.user_mapping_options.

Commit 3eefc51053 claimed to make pg_user_mappings enforce the qualifications user_mapping_options had been enforcing, but its removal of a longstanding restriction left them distinct when the current user is the subject of a mapping yet has no server privileges. user_mapping_options emits no rows for such a mapping, but pg_user_mappings includes full umoptions. Change pg_user_mappings to show null for umoptions. Back-patch to 9.2, like the above commit. Reviewed by Tom Lane. Reported by Jeff Janes. Security: CVE-2017-7547
2025-06-29 10:41:53 +03:00 · 2017-08-07 07:09:28 -07:00
parent 06651648a6
commit e255e97a26
5 changed files with 57 additions and 30 deletions
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@ -8768,17 +8768,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
      <entry><type>text[]</type></entry>
      <entry></entry>
      <entry>
-       User mapping specific options, as <quote>keyword=value</>
-       strings.  This column will show as null unless the current user
-       is the user being mapped, or the mapping is for
-       <literal>PUBLIC</literal> and the current user is the server
-       owner, or the current user is a superuser.  The intent is
-       to protect password information stored as user mapping option.
+       User mapping specific options, as <quote>keyword=value</> strings
      </entry>
     </row>
    </tbody>
   </tgroup>
  </table>
+
+  <para>
+   To protect password information stored as a user mapping option,
+   the <structfield>umoptions</structfield> column will read as null
+   unless one of the following applies:
+   <itemizedlist>
+    <listitem>
+     <para>
+      current user is the user being mapped, and owns the server or
+      holds <literal>USAGE</> privilege on it
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is the server owner and mapping is for <literal>PUBLIC</>
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      current user is a superuser
+     </para>
+    </listitem>
+   </itemizedlist>
+  </para>
+
 </sect1>


--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@ -669,7 +669,9 @@ CREATE VIEW pg_user_mappings AS
        ELSE
            A.rolname
        END AS usename,
-        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
+        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
+                     AND (pg_has_role(S.srvowner, 'USAGE')
+                          OR has_server_privilege(S.oid, 'USAGE')))
                    OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                    OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                    THEN U.umoptions
--- a/src/test/regress/expected/foreign_data.out
+++ b/src/test/regress/expected/foreign_data.out
@ -1144,10 +1144,11 @@ ERROR:  permission denied for foreign-data wrapper foo
 ALTER SERVER s9 VERSION '1.1';
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
 CREATE USER MAPPING FOR current_user SERVER s9;
+-- We use terse mode to avoid ordering issues in cascade detail output.
+\set VERBOSITY terse
 DROP SERVER s9 CASCADE;
 NOTICE:  drop cascades to 2 other objects
-DETAIL:  drop cascades to user mapping for public on server s9
-drop cascades to user mapping for unprivileged_role on server s9
+\set VERBOSITY default
 RESET ROLE;
 CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
 GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -1163,13 +1164,14 @@ ERROR:  must be owner of foreign server s9
 SET ROLE regress_test_role;
 CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
 CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
-GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
+CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
+-- owner of server can see some option fields
 \deu+
             List of user mappings
 Server |     User name     |    FDW Options    
 --------+-------------------+-------------------
 s10    | public            | ("user" 'secret')
+ s10    | unprivileged_role | 
 s4     | foreign_data_user | 
 s5     | regress_test_role | (modified '1')
 s6     | regress_test_role | 
@ -1177,15 +1179,16 @@ GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
 s8     | public            | 
 s9     | unprivileged_role | 
 t1     | public            | (modified '1')
-(8 rows)
+(9 rows)

 RESET ROLE;
-- superuser can see option fields
+-- superuser can see all option fields
 \deu+
              List of user mappings
 Server |     User name     |     FDW Options     
 --------+-------------------+---------------------
 s10    | public            | ("user" 'secret')
+ s10    | unprivileged_role | ("user" 'secret')
 s4     | foreign_data_user | 
 s5     | regress_test_role | (modified '1')
 s6     | regress_test_role | 
@ -1193,15 +1196,16 @@ RESET ROLE;
 s8     | public            | 
 s9     | unprivileged_role | 
 t1     | public            | (modified '1')
-(8 rows)
+(9 rows)

-- unprivileged user cannot see option fields
+-- unprivileged user cannot see any option field
 SET ROLE unprivileged_role;
 \deu+
          List of user mappings
 Server |     User name     | FDW Options 
 --------+-------------------+-------------
 s10    | public            | 
+ s10    | unprivileged_role | 
 s4     | foreign_data_user | 
 s5     | regress_test_role | 
 s6     | regress_test_role | 
@ -1209,11 +1213,13 @@ SET ROLE unprivileged_role;
 s8     | public            | 
 s9     | unprivileged_role | 
 t1     | public            | 
-(8 rows)
+(9 rows)

 RESET ROLE;
+\set VERBOSITY terse
 DROP SERVER s10 CASCADE;
-NOTICE:  drop cascades to user mapping for public on server s10
+NOTICE:  drop cascades to 2 other objects
+\set VERBOSITY default
 -- DROP FOREIGN TABLE
 DROP FOREIGN TABLE no_table;                                    -- ERROR
 ERROR:  foreign table "no_table" does not exist
@ -1238,16 +1244,12 @@ owner of user mapping for regress_test_role on server s6
 DROP SERVER t1 CASCADE;
 NOTICE:  drop cascades to user mapping for public on server t1
 DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
 \set VERBOSITY terse
 DROP FOREIGN DATA WRAPPER foo CASCADE;
 NOTICE:  drop cascades to 5 other objects
-\set VERBOSITY default
 DROP SERVER s8 CASCADE;
 NOTICE:  drop cascades to 2 other objects
-DETAIL:  drop cascades to user mapping for foreign_data_user on server s8
-drop cascades to user mapping for public on server s8
+\set VERBOSITY default
 DROP ROLE regress_test_indirect;
 DROP ROLE regress_test_role;
 DROP ROLE unprivileged_role;                                -- ERROR
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@ -1322,7 +1322,7 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem
 pg_timezone_abbrevs             | SELECT pg_timezone_abbrevs.abbrev, pg_timezone_abbrevs.utc_offset, pg_timezone_abbrevs.is_dst FROM pg_timezone_abbrevs() pg_timezone_abbrevs(abbrev, utc_offset, is_dst);
 pg_timezone_names               | SELECT pg_timezone_names.name, pg_timezone_names.abbrev, pg_timezone_names.utc_offset, pg_timezone_names.is_dst FROM pg_timezone_names() pg_timezone_names(name, abbrev, utc_offset, is_dst);
 pg_user                         | SELECT pg_shadow.usename, pg_shadow.usesysid, pg_shadow.usecreatedb, pg_shadow.usesuper, pg_shadow.usecatupd, pg_shadow.userepl, '********'::text AS passwd, pg_shadow.valuntil, pg_shadow.useconfig FROM pg_shadow;
- pg_user_mappings                | SELECT u.oid AS umid, s.oid AS srvid, s.srvname, u.umuser, CASE WHEN (u.umuser = (0)::oid) THEN 'public'::name ELSE a.rolname END AS usename, CASE WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR (SELECT pg_authid.rolsuper FROM pg_authid WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions ELSE NULL::text[] END AS umoptions FROM ((pg_user_mapping u LEFT JOIN pg_authid a ON ((a.oid = u.umuser))) JOIN pg_foreign_server s ON ((u.umserver = s.oid)));
+ pg_user_mappings                | SELECT u.oid AS umid, s.oid AS srvid, s.srvname, u.umuser, CASE WHEN (u.umuser = (0)::oid) THEN 'public'::name ELSE a.rolname END AS usename, CASE WHEN (((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) AND (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text))) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR (SELECT pg_authid.rolsuper FROM pg_authid WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions ELSE NULL::text[] END AS umoptions FROM ((pg_user_mapping u LEFT JOIN pg_authid a ON ((a.oid = u.umuser))) JOIN pg_foreign_server s ON ((u.umserver = s.oid)));
 pg_views                        | SELECT n.nspname AS schemaname, c.relname AS viewname, pg_get_userbyid(c.relowner) AS viewowner, pg_get_viewdef(c.oid) AS definition FROM (pg_class c LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace))) WHERE (c.relkind = 'v'::"char");
 rtest_v1                        | SELECT rtest_t1.a, rtest_t1.b FROM rtest_t1;
 rtest_vcomp                     | SELECT x.part, (x.size * y.factor) AS size_in_cm FROM rtest_comp x, rtest_unitfact y WHERE (x.unit = y.unit);
--- a/src/test/regress/sql/foreign_data.sql
+++ b/src/test/regress/sql/foreign_data.sql
@ -460,7 +460,10 @@ CREATE SERVER s10 FOREIGN DATA WRAPPER foo;                     -- ERROR
 ALTER SERVER s9 VERSION '1.1';
 GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
 CREATE USER MAPPING FOR current_user SERVER s9;
+-- We use terse mode to avoid ordering issues in cascade detail output.
+\set VERBOSITY terse
 DROP SERVER s9 CASCADE;
+\set VERBOSITY default
 RESET ROLE;
 CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
 GRANT USAGE ON FOREIGN SERVER s9 TO unprivileged_role;
@ -474,17 +477,19 @@ DROP SERVER s9 CASCADE;                                         -- ERROR
 SET ROLE regress_test_role;
 CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
 CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
-GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
+CREATE USER MAPPING FOR unprivileged_role SERVER s10 OPTIONS (user 'secret');
+-- owner of server can see some option fields
 \deu+
 RESET ROLE;
-- superuser can see option fields
+-- superuser can see all option fields
 \deu+
-- unprivileged user cannot see option fields
+-- unprivileged user cannot see any option field
 SET ROLE unprivileged_role;
 \deu+
 RESET ROLE;
+\set VERBOSITY terse
 DROP SERVER s10 CASCADE;
+\set VERBOSITY default

 -- DROP FOREIGN TABLE
 DROP FOREIGN TABLE no_table;                                    -- ERROR
@ -501,12 +506,10 @@ DROP SCHEMA foreign_schema CASCADE;
 DROP ROLE regress_test_role;                                -- ERROR
 DROP SERVER t1 CASCADE;
 DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
 \set VERBOSITY terse
 DROP FOREIGN DATA WRAPPER foo CASCADE;
-\set VERBOSITY default
 DROP SERVER s8 CASCADE;
+\set VERBOSITY default
 DROP ROLE regress_test_indirect;
 DROP ROLE regress_test_role;
 DROP ROLE unprivileged_role;                                -- ERROR