database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-17 06:41:24 +03:00
Code

Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer

Browse Source 
functions.

This extends the previous patch that forbade SETting these variables inside
security-definer functions.  RESET is equally a security hole, since it
would allow regaining privileges of the caller; furthermore it can trigger
Assert failures and perhaps other internal errors, since the code is not
expecting these variables to change in such contexts.  The previous patch
did not cover this case because assign hooks don't really have enough
information, so move the responsibility for preventing this into guc.c.

Problem discovered by Heikki Linnakangas.

Security: no CVE assigned yet, extends CVE-2007-6600
This commit is contained in:
Tom Lane 2009-09-03 22:09:06 +00:00
parent 8422728a2b
commit fd28d83bdc
3 changed files with 32 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/backend/commands/variable.c
View File

@ -9,7 +9,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.4 2008/01/03 21:25:33 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.88.2.5 2009/09/03 22:09:05 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -773,22 +773,6 @@ assign_session_authorization(const char *value, bool doit, bool interactive)
/* not a saved ID, so look it up */ /* not a saved ID, so look it up */
HeapTuple userTup; HeapTuple userTup;
if (InSecurityDefinerContext())
{
/*
* Disallow SET SESSION AUTHORIZATION inside a security definer
* context. We need to do this because when we exit the context,
* GUC won't be notified, leaving things out of sync. Note that
* this test is positioned so that restoring a previously saved
* setting isn't prevented.
*/
if (interactive)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("cannot set session authorization within security-definer function")));
return NULL;
}
if (!IsTransactionState()) if (!IsTransactionState())
{ {
/* /*

30
src/backend/utils/misc/guc.c
View File

@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>. * Written by Peter Eisentraut <peter_e@gmx.net>.
* *
* IDENTIFICATION * IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.5 2006/05/21 20:11:58 tgl Exp $ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.164.2.6 2009/09/03 22:09:05 tgl Exp $
* *
*-------------------------------------------------------------------- *--------------------------------------------------------------------
*/ */
@ -1511,7 +1511,7 @@ static struct config_string ConfigureNamesString[] =
{"session_authorization", PGC_USERSET, UNGROUPED, {"session_authorization", PGC_USERSET, UNGROUPED,
gettext_noop("Shows the session user name."), gettext_noop("Shows the session user name."),
NULL, NULL,
GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE GUC_IS_NAME | GUC_REPORT | GUC_NO_SHOW_ALL | GUC_NO_RESET_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE | GUC_NOT_WHILE_SEC_DEF
}, },
&session_authorization_string, &session_authorization_string,
NULL, assign_session_authorization, show_session_authorization NULL, assign_session_authorization, show_session_authorization
@ -2514,6 +2514,32 @@ set_config_option(const char *name, const char *value,
break; break;
} }
/*
* Disallow changing GUC_NOT_WHILE_SEC_DEF values if we are inside a
* security-definer function. We can reject this regardless of
* the context or source, mainly because sources that it might be
* reasonable to override for won't be seen while inside a function.
*
* Note: variables marked GUC_NOT_WHILE_SEC_DEF should probably be marked
* GUC_NO_RESET_ALL as well, because ResetAllOptions() doesn't check this.
*
* Note: this flag is currently used for "session_authorization".
* We need to prohibit this because when we exit the sec-def
* context, GUC won't be notified, leaving things out of sync.
*
* XXX it would be nice to allow these cases in future, with the behavior
* being that the SET's effects end when the security definer context is
* exited.
*/
if ((record->flags & GUC_NOT_WHILE_SEC_DEF) && InSecurityDefinerContext())
{
ereport(elevel,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("cannot set parameter \"%s\" within security-definer function",
name)));
return false;
}
/* Should we report errors interactively? */ /* Should we report errors interactively? */
interactive = (source >= PGC_S_SESSION); interactive = (source >= PGC_S_SESSION);

4
src/include/utils/guc_tables.h
View File

@ -7,7 +7,7 @@
* *
* Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2003, PostgreSQL Global Development Group
* *
* $Id: guc_tables.h,v 1.6.4.1 2006/02/12 22:33:29 tgl Exp $ * $Id: guc_tables.h,v 1.6.4.2 2009/09/03 22:09:06 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
@ -99,6 +99,8 @@ struct config_generic
#define GUC_DISALLOW_IN_FILE 0x0040 /* can't set in postgresql.conf */ #define GUC_DISALLOW_IN_FILE 0x0040 /* can't set in postgresql.conf */
#define GUC_IS_NAME 0x0080 /* limit string to NAMEDATALEN-1 */ #define GUC_IS_NAME 0x0080 /* limit string to NAMEDATALEN-1 */
#define GUC_NOT_WHILE_SEC_DEF 0x8000 /* can't change inside sec-def func */
/* bit values in status field */ /* bit values in status field */
#define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */ #define GUC_HAVE_TENTATIVE 0x0001 /* tentative value is defined */
#define GUC_HAVE_LOCAL 0x0002 /* a SET LOCAL has been executed */ #define GUC_HAVE_LOCAL 0x0002 /* a SET LOCAL has been executed */