open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix security checks in selectivity estimation functions.

Browse Source 
Commit e2d4ef8de8 (the fix for CVE-2017-7484) added security checks
to the selectivity estimation functions to prevent them from running
user-supplied operators on data obtained from pg_statistic if the user
lacks privileges to select from the underlying table. In cases
involving inheritance/partitioning, those checks were originally
performed against the child RTE (which for plain inheritance might
actually refer to the parent table). Commit 553d2ec271 then extended
that to also check the parent RTE, allowing access if the user had
permissions on either the parent or the child. It turns out, however,
that doing any checks using the child RTE is incorrect, since
securityQuals is set to NULL when creating an RTE for an inheritance
child (whether it refers to the parent table or the child table), and
therefore such checks do not correctly account for any RLS policies or
security barrier views. Therefore, do the security checks using only
the parent RTE. This is consistent with how RLS policies are applied,
and the executor's ACL checks, both of which use only the parent
table's permissions/policies. Similar checks are performed in the
extended stats code, so update that in the same way, centralizing all
the checks in a new function.

In addition, note that these checks by themselves are insufficient to
ensure that the user has access to the table's data because, in a
query that goes via a view, they only check that the view owner has
permissions on the underlying table, not that the current user has
permissions on the view itself. In the selectivity estimation
functions, there is no easy way to navigate from underlying tables to
views, so add permissions checks for all views mentioned in the query
to the planner startup code. If the user lacks permissions on a view,
a permissions error will now be reported at planner-startup, and the
selectivity estimation functions will not be run.

Checking view permissions at planner-startup in this way is a little
ugly, since the same checks will be repeated at executor-startup.
Longer-term, it might be better to move all the permissions checks
from the executor to the planner so that permissions errors can be
reported sooner, instead of creating a plan that won't ever be run.
However, such a change seems too far-reaching to be back-patched.

Back-patch to all supported versions. In v13, there is the added
complication that UPDATEs and DELETEs on inherited target tables are
planned using inheritance_planner(), which plans each inheritance
child table separately, so that the selectivity estimation functions
do not know that they are dealing with a child table accessed via its
parent. Handle that by checking access permissions on the top parent
table at planner-startup, in the same way as we do for views. Any
securityQuals on the top parent table are moved down to the child
tables by inheritance_planner(), so they continue to be checked by the
selectivity estimation functions.

Author: Dean Rasheed <dean.a.rasheed@gmail.com>
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Reviewed-by: Noah Misch <noah@leadboat.com>
Backpatch-through: 13
Security: CVE-2025-8713
REL_18_STABLE
Dean Rasheed 1 month ago
parent 0d2734eac3
commit 64f77c6a65
12 changed files with 596 additions and 304 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      src/backend/executor/execMain.c
  2. 33
      src/backend/optimizer/plan/planner.c
  3. 108
      src/backend/statistics/extended_stats.c
  4. 486
      src/backend/utils/adt/selfuncs.c
  5. 1
      src/include/executor/executor.h
  6. 4
      src/include/utils/selfuncs.h
  7. 13
      src/test/regress/expected/privileges.out
  8. 73
      src/test/regress/expected/rowsecurity.out
  9. 71
      src/test/regress/expected/stats_ext.out
  10. 12
      src/test/regress/sql/privileges.sql
  11. 51
      src/test/regress/sql/rowsecurity.sql
  12. 45
      src/test/regress/sql/stats_ext.sql

3
src/backend/executor/execMain.c
Unescape View File

@ -84,7 +84,6 @@ static void ExecutePlan(QueryDesc *queryDesc,
uint64 numberTuples, uint64 numberTuples,
ScanDirection direction, ScanDirection direction,
DestReceiver *dest); DestReceiver *dest);
static bool ExecCheckOneRelPerms(RTEPermissionInfo *perminfo);
static bool ExecCheckPermissionsModified(Oid relOid, Oid userid, static bool ExecCheckPermissionsModified(Oid relOid, Oid userid,
Bitmapset *modifiedCols, Bitmapset *modifiedCols,
AclMode requiredPerms); AclMode requiredPerms);
@ -643,7 +642,7 @@ ExecCheckPermissions(List *rangeTable, List *rteperminfos,
* ExecCheckOneRelPerms * ExecCheckOneRelPerms
* Check access permissions for a single relation. * Check access permissions for a single relation.
*/ */
static bool bool
ExecCheckOneRelPerms(RTEPermissionInfo *perminfo) ExecCheckOneRelPerms(RTEPermissionInfo *perminfo)
{ {
AclMode requiredPerms; AclMode requiredPerms;

33
src/backend/optimizer/plan/planner.c
Unescape View File

@ -58,6 +58,7 @@
#include "parser/parsetree.h" #include "parser/parsetree.h"
#include "partitioning/partdesc.h" #include "partitioning/partdesc.h"
#include "rewrite/rewriteManip.h" #include "rewrite/rewriteManip.h"
#include "utils/acl.h"
#include "utils/backend_status.h" #include "utils/backend_status.h"
#include "utils/lsyscache.h" #include "utils/lsyscache.h"
#include "utils/rel.h" #include "utils/rel.h"
@ -848,6 +849,38 @@ subquery_planner(PlannerGlobal *glob, Query *parse, PlannerInfo *parent_root,
bms_make_singleton(parse->resultRelation); bms_make_singleton(parse->resultRelation);
} }
/*
* This would be a convenient time to check access permissions for all
* relations mentioned in the query, since it would be better to fail now,
* before doing any detailed planning. However, for historical reasons,
* we leave this to be done at executor startup.
*
* Note, however, that we do need to check access permissions for any view
* relations mentioned in the query, in order to prevent information being
* leaked by selectivity estimation functions, which only check view owner
* permissions on underlying tables (see all_rows_selectable() and its
* callers). This is a little ugly, because it means that access
* permissions for views will be checked twice, which is another reason
* why it would be better to do all the ACL checks here.
*/
foreach(l, parse->rtable)
{
RangeTblEntry *rte = lfirst_node(RangeTblEntry, l);
if (rte->perminfoindex != 0 &&
rte->relkind == RELKIND_VIEW)
{
RTEPermissionInfo *perminfo;
bool result;
perminfo = getRTEPermissionInfo(parse->rteperminfos, rte);
result = ExecCheckOneRelPerms(perminfo);
if (!result)
aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_VIEW,
get_rel_name(perminfo->relid));
}
}
/* /*
* Preprocess RowMark information. We need to do this after subquery * Preprocess RowMark information. We need to do this after subquery
* pullup, so that all base relations are present. * pullup, so that all base relations are present.

108
src/backend/statistics/extended_stats.c
Unescape View File

@ -1317,6 +1317,9 @@ choose_best_statistics(List *stats, char requiredkind, bool inh,
* so we can't cope with system columns. * so we can't cope with system columns.
* *exprs: input/output parameter collecting primitive subclauses within * *exprs: input/output parameter collecting primitive subclauses within
* the clause tree * the clause tree
* *leakproof: input/output parameter recording the leakproofness of the
* clause tree. This should be true initially, and will be set to false
* if any operator function used in an OpExpr is not leakproof.
* *
* Returns false if there is something we definitively can't handle. * Returns false if there is something we definitively can't handle.
* On true return, we can proceed to match the *exprs against statistics. * On true return, we can proceed to match the *exprs against statistics.
@ -1324,7 +1327,7 @@ choose_best_statistics(List *stats, char requiredkind, bool inh,
static bool static bool
statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause, statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
Index relid, Bitmapset **attnums, Index relid, Bitmapset **attnums,
List **exprs) List **exprs, bool *leakproof)
{ {
/* Look inside any binary-compatible relabeling (as in examine_variable) */ /* Look inside any binary-compatible relabeling (as in examine_variable) */
if (IsA(clause, RelabelType)) if (IsA(clause, RelabelType))
@ -1359,7 +1362,6 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
/* (Var/Expr op Const) or (Const op Var/Expr) */ /* (Var/Expr op Const) or (Const op Var/Expr) */
if (is_opclause(clause)) if (is_opclause(clause))
{ {
RangeTblEntry *rte = root->simple_rte_array[relid];
OpExpr *expr = (OpExpr *) clause; OpExpr *expr = (OpExpr *) clause;
Node *clause_expr; Node *clause_expr;
@ -1394,24 +1396,15 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
return false; return false;
} }
/* /* Check if the operator is leakproof */
* If there are any securityQuals on the RTE from security barrier if (*leakproof)
* views or RLS policies, then the user may not have access to all the *leakproof = get_func_leakproof(get_opcode(expr->opno));
* table's data, and we must check that the operator is leakproof.
*
* If the operator is leaky, then we must ignore this clause for the
* purposes of estimating with MCV lists, otherwise the operator might
* reveal values from the MCV list that the user doesn't have
* permission to see.
*/
if (rte->securityQuals != NIL &&
!get_func_leakproof(get_opcode(expr->opno)))
return false;
/* Check (Var op Const) or (Const op Var) clauses by recursing. */ /* Check (Var op Const) or (Const op Var) clauses by recursing. */
if (IsA(clause_expr, Var)) if (IsA(clause_expr, Var))
return statext_is_compatible_clause_internal(root, clause_expr, return statext_is_compatible_clause_internal(root, clause_expr,
relid, attnums, exprs); relid, attnums,
exprs, leakproof);
/* Otherwise we have (Expr op Const) or (Const op Expr). */ /* Otherwise we have (Expr op Const) or (Const op Expr). */
*exprs = lappend(*exprs, clause_expr); *exprs = lappend(*exprs, clause_expr);
@ -1421,7 +1414,6 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
/* Var/Expr IN Array */ /* Var/Expr IN Array */
if (IsA(clause, ScalarArrayOpExpr)) if (IsA(clause, ScalarArrayOpExpr))
{ {
RangeTblEntry *rte = root->simple_rte_array[relid];
ScalarArrayOpExpr *expr = (ScalarArrayOpExpr *) clause; ScalarArrayOpExpr *expr = (ScalarArrayOpExpr *) clause;
Node *clause_expr; Node *clause_expr;
bool expronleft; bool expronleft;
@ -1461,24 +1453,15 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
return false; return false;
} }
/* /* Check if the operator is leakproof */
* If there are any securityQuals on the RTE from security barrier if (*leakproof)
* views or RLS policies, then the user may not have access to all the *leakproof = get_func_leakproof(get_opcode(expr->opno));
* table's data, and we must check that the operator is leakproof.
*
* If the operator is leaky, then we must ignore this clause for the
* purposes of estimating with MCV lists, otherwise the operator might
* reveal values from the MCV list that the user doesn't have
* permission to see.
*/
if (rte->securityQuals != NIL &&
!get_func_leakproof(get_opcode(expr->opno)))
return false;
/* Check Var IN Array clauses by recursing. */ /* Check Var IN Array clauses by recursing. */
if (IsA(clause_expr, Var)) if (IsA(clause_expr, Var))
return statext_is_compatible_clause_internal(root, clause_expr, return statext_is_compatible_clause_internal(root, clause_expr,
relid, attnums, exprs); relid, attnums,
exprs, leakproof);
/* Otherwise we have Expr IN Array. */ /* Otherwise we have Expr IN Array. */
*exprs = lappend(*exprs, clause_expr); *exprs = lappend(*exprs, clause_expr);
@ -1515,7 +1498,8 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
*/ */
if (!statext_is_compatible_clause_internal(root, if (!statext_is_compatible_clause_internal(root,
(Node *) lfirst(lc), (Node *) lfirst(lc),
relid, attnums, exprs)) relid, attnums, exprs,
leakproof))
return false; return false;
} }
@ -1529,8 +1513,10 @@ statext_is_compatible_clause_internal(PlannerInfo *root, Node *clause,
/* Check Var IS NULL clauses by recursing. */ /* Check Var IS NULL clauses by recursing. */
if (IsA(nt->arg, Var)) if (IsA(nt->arg, Var))
return statext_is_compatible_clause_internal(root, (Node *) (nt->arg), return statext_is_compatible_clause_internal(root,
relid, attnums, exprs); (Node *) (nt->arg),
relid, attnums,
exprs, leakproof);
/* Otherwise we have Expr IS NULL. */ /* Otherwise we have Expr IS NULL. */
*exprs = lappend(*exprs, nt->arg); *exprs = lappend(*exprs, nt->arg);
@ -1569,11 +1555,9 @@ static bool
statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid, statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
Bitmapset **attnums, List **exprs) Bitmapset **attnums, List **exprs)
{ {
RangeTblEntry *rte = root->simple_rte_array[relid];
RelOptInfo *rel = root->simple_rel_array[relid];
RestrictInfo *rinfo; RestrictInfo *rinfo;
int clause_relid; int clause_relid;
Oid userid; bool leakproof;
/* /*
* Special-case handling for bare BoolExpr AND clauses, because the * Special-case handling for bare BoolExpr AND clauses, because the
@ -1613,18 +1597,31 @@ statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
clause_relid != relid) clause_relid != relid)
return false; return false;
/* Check the clause and determine what attributes it references. */ /*
* Check the clause, determine what attributes it references, and whether
* it includes any non-leakproof operators.
*/
leakproof = true;
if (!statext_is_compatible_clause_internal(root, (Node *) rinfo->clause, if (!statext_is_compatible_clause_internal(root, (Node *) rinfo->clause,
relid, attnums, exprs)) relid, attnums, exprs,
&leakproof))
return false; return false;
/* /*
* Check that the user has permission to read all required attributes. * If the clause includes any non-leakproof operators, check that the user
* has permission to read all required attributes, otherwise the operators
* might reveal values from the MCV list that the user doesn't have
* permission to see. We require all rows to be selectable --- there must
* be no securityQuals from security barrier views or RLS policies. See
* similar code in examine_variable(), examine_simple_variable(), and
* statistic_proc_security_check().
*
* Note that for an inheritance child, the permission checks are performed
* on the inheritance root parent, and whole-table select privilege on the
* parent doesn't guarantee that the user could read all columns of the
* child. Therefore we must check all referenced columns.
*/ */
userid = OidIsValid(rel->userid) ? rel->userid : GetUserId(); if (!leakproof)
/* Table-level SELECT privilege is sufficient for all columns */
if (pg_class_aclcheck(rte->relid, userid, ACL_SELECT) != ACLCHECK_OK)
{ {
Bitmapset *clause_attnums = NULL; Bitmapset *clause_attnums = NULL;
int attnum = -1; int attnum = -1;
@ -1649,26 +1646,9 @@ statext_is_compatible_clause(PlannerInfo *root, Node *clause, Index relid,
if (*exprs != NIL) if (*exprs != NIL)
pull_varattnos((Node *) *exprs, relid, &clause_attnums); pull_varattnos((Node *) *exprs, relid, &clause_attnums);
attnum = -1; /* Must have permission to read all rows from these columns */
while ((attnum = bms_next_member(clause_attnums, attnum)) >= 0) if (!all_rows_selectable(root, relid, clause_attnums))
{ return false;
/* Undo the offset */
AttrNumber attno = attnum + FirstLowInvalidHeapAttributeNumber;
if (attno == InvalidAttrNumber)
{
/* Whole-row reference, so must have access to all columns */
if (pg_attribute_aclcheck_all(rte->relid, userid, ACL_SELECT,
ACLMASK_ALL) != ACLCHECK_OK)
return false;
}
else
{
if (pg_attribute_aclcheck(rte->relid, attno, userid,
ACL_SELECT) != ACLCHECK_OK)
return false;
}
}
} }
/* If we reach here, the clause is OK */ /* If we reach here, the clause is OK */

486
src/backend/utils/adt/selfuncs.c
Unescape View File

@ -5279,8 +5279,8 @@ ReleaseDummy(HeapTuple tuple)
* unique for this query. (Caution: this should be trusted for * unique for this query. (Caution: this should be trusted for
* statistical purposes only, since we do not check indimmediate nor * statistical purposes only, since we do not check indimmediate nor
* verify that the exact same definition of equality applies.) * verify that the exact same definition of equality applies.)
* acl_ok: true if current user has permission to read the column(s) * acl_ok: true if current user has permission to read all table rows from
* underlying the pg_statistic entry. This is consulted by * the column(s) underlying the pg_statistic entry. This is consulted by
* statistic_proc_security_check(). * statistic_proc_security_check().
* *
* Caller is responsible for doing ReleaseVariableStats() before exiting. * Caller is responsible for doing ReleaseVariableStats() before exiting.
@ -5399,7 +5399,6 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
*/ */
ListCell *ilist; ListCell *ilist;
ListCell *slist; ListCell *slist;
Oid userid;
/* /*
* The nullingrels bits within the expression could prevent us from * The nullingrels bits within the expression could prevent us from
@ -5409,17 +5408,6 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
if (bms_overlap(varnos, root->outer_join_rels)) if (bms_overlap(varnos, root->outer_join_rels))
node = remove_nulling_relids(node, root->outer_join_rels, NULL); node = remove_nulling_relids(node, root->outer_join_rels, NULL);
/*
* Determine the user ID to use for privilege checks: either
* onerel->userid if it's set (e.g., in case we're accessing the table
* via a view), or the current user otherwise.
*
* If we drill down to child relations, we keep using the same userid:
* it's going to be the same anyway, due to how we set up the relation
* tree (q.v. build_simple_rel).
*/
userid = OidIsValid(onerel->userid) ? onerel->userid : GetUserId();
foreach(ilist, onerel->indexlist) foreach(ilist, onerel->indexlist)
{ {
IndexOptInfo *index = (IndexOptInfo *) lfirst(ilist); IndexOptInfo *index = (IndexOptInfo *) lfirst(ilist);
@ -5487,69 +5475,32 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
if (HeapTupleIsValid(vardata->statsTuple)) if (HeapTupleIsValid(vardata->statsTuple))
{ {
/* Get index's table for permission check */
RangeTblEntry *rte;
rte = planner_rt_fetch(index->rel->relid, root);
Assert(rte->rtekind == RTE_RELATION);
/* /*
* Test if user has permission to access all
* rows from the index's table.
*
* For simplicity, we insist on the whole * For simplicity, we insist on the whole
* table being selectable, rather than trying * table being selectable, rather than trying
* to identify which column(s) the index * to identify which column(s) the index
* depends on. Also require all rows to be * depends on.
* selectable --- there must be no *
* securityQuals from security barrier views * Note that for an inheritance child,
* or RLS policies. * permissions are checked on the inheritance
* root parent, and whole-table select
* privilege on the parent doesn't quite
* guarantee that the user could read all
* columns of the child. But in practice it's
* unlikely that any interesting security
* violation could result from allowing access
* to the expression index's stats, so we
* allow it anyway. See similar code in
* examine_simple_variable() for additional
* comments.
*/ */
vardata->acl_ok = vardata->acl_ok =
rte->securityQuals == NIL && all_rows_selectable(root,
(pg_class_aclcheck(rte->relid, userid, index->rel->relid,
ACL_SELECT) == ACLCHECK_OK); NULL);
/*
* If the user doesn't have permissions to
* access an inheritance child relation, check
* the permissions of the table actually
* mentioned in the query, since most likely
* the user does have that permission. Note
* that whole-table select privilege on the
* parent doesn't quite guarantee that the
* user could read all columns of the child.
* But in practice it's unlikely that any
* interesting security violation could result
* from allowing access to the expression
* index's stats, so we allow it anyway. See
* similar code in examine_simple_variable()
* for additional comments.
*/
if (!vardata->acl_ok &&
root->append_rel_array != NULL)
{
AppendRelInfo *appinfo;
Index varno = index->rel->relid;
appinfo = root->append_rel_array[varno];
while (appinfo &&
planner_rt_fetch(appinfo->parent_relid,
root)->rtekind == RTE_RELATION)
{
varno = appinfo->parent_relid;
appinfo = root->append_rel_array[varno];
}
if (varno != index->rel->relid)
{
/* Repeat access check on this rel */
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
vardata->acl_ok =
rte->securityQuals == NIL &&
(pg_class_aclcheck(rte->relid,
userid,
ACL_SELECT) == ACLCHECK_OK);
}
}
} }
else else
{ {
@ -5619,58 +5570,26 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
vardata->freefunc = ReleaseDummy; vardata->freefunc = ReleaseDummy;
/* /*
* Test if user has permission to access all rows from the
* table.
*
* For simplicity, we insist on the whole table being * For simplicity, we insist on the whole table being
* selectable, rather than trying to identify which * selectable, rather than trying to identify which
* column(s) the statistics object depends on. Also * column(s) the statistics object depends on.
* require all rows to be selectable --- there must be no *
* securityQuals from security barrier views or RLS * Note that for an inheritance child, permissions are
* policies. * checked on the inheritance root parent, and whole-table
* select privilege on the parent doesn't quite guarantee
* that the user could read all columns of the child. But
* in practice it's unlikely that any interesting security
* violation could result from allowing access to the
* expression stats, so we allow it anyway. See similar
* code in examine_simple_variable() for additional
* comments.
*/ */
vardata->acl_ok = vardata->acl_ok = all_rows_selectable(root,
rte->securityQuals == NIL && onerel->relid,
(pg_class_aclcheck(rte->relid, userid, NULL);
ACL_SELECT) == ACLCHECK_OK);
/*
* If the user doesn't have permissions to access an
* inheritance child relation, check the permissions of
* the table actually mentioned in the query, since most
* likely the user does have that permission. Note that
* whole-table select privilege on the parent doesn't
* quite guarantee that the user could read all columns of
* the child. But in practice it's unlikely that any
* interesting security violation could result from
* allowing access to the expression stats, so we allow it
* anyway. See similar code in examine_simple_variable()
* for additional comments.
*/
if (!vardata->acl_ok &&
root->append_rel_array != NULL)
{
AppendRelInfo *appinfo;
Index varno = onerel->relid;
appinfo = root->append_rel_array[varno];
while (appinfo &&
planner_rt_fetch(appinfo->parent_relid,
root)->rtekind == RTE_RELATION)
{
varno = appinfo->parent_relid;
appinfo = root->append_rel_array[varno];
}
if (varno != onerel->relid)
{
/* Repeat access check on this rel */
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
vardata->acl_ok =
rte->securityQuals == NIL &&
(pg_class_aclcheck(rte->relid,
userid,
ACL_SELECT) == ACLCHECK_OK);
}
}
break; break;
} }
@ -5725,109 +5644,20 @@ examine_simple_variable(PlannerInfo *root, Var *var,
if (HeapTupleIsValid(vardata->statsTuple)) if (HeapTupleIsValid(vardata->statsTuple))
{ {
RelOptInfo *onerel = find_base_rel_noerr(root, var->varno);
Oid userid;
/* /*
* Check if user has permission to read this column. We require * Test if user has permission to read all rows from this column.
* all rows to be accessible, so there must be no securityQuals
* from security barrier views or RLS policies.
* *
* Normally the Var will have an associated RelOptInfo from which * This requires that the user has the appropriate SELECT
* we can find out which userid to do the check as; but it might * privileges and that there are no securityQuals from security
* not if it's a RETURNING Var for an INSERT target relation. In * barrier views or RLS policies. If that's not the case, then we
* that case use the RTEPermissionInfo associated with the RTE. * only permit leakproof functions to be passed pg_statistic data
* in vardata, otherwise the functions might reveal data that the
* user doesn't have permission to see --- see
* statistic_proc_security_check().
*/ */
if (onerel)
userid = onerel->userid;
else
{
RTEPermissionInfo *perminfo;
perminfo = getRTEPermissionInfo(root->parse->rteperminfos, rte);
userid = perminfo->checkAsUser;
}
if (!OidIsValid(userid))
userid = GetUserId();
vardata->acl_ok = vardata->acl_ok =
rte->securityQuals == NIL && all_rows_selectable(root, var->varno,
((pg_class_aclcheck(rte->relid, userid, bms_make_singleton(var->varattno - FirstLowInvalidHeapAttributeNumber));
ACL_SELECT) == ACLCHECK_OK) ||
(pg_attribute_aclcheck(rte->relid, var->varattno, userid,
ACL_SELECT) == ACLCHECK_OK));
/*
* If the user doesn't have permissions to access an inheritance
* child relation or specifically this attribute, check the
* permissions of the table/column actually mentioned in the
* query, since most likely the user does have that permission
* (else the query will fail at runtime), and if the user can read
* the column there then he can get the values of the child table
* too. To do that, we must find out which of the root parent's
* attributes the child relation's attribute corresponds to.
*/
if (!vardata->acl_ok && var->varattno > 0 &&
root->append_rel_array != NULL)
{
AppendRelInfo *appinfo;
Index varno = var->varno;
int varattno = var->varattno;
bool found = false;
appinfo = root->append_rel_array[varno];
/*
* Partitions are mapped to their immediate parent, not the
* root parent, so must be ready to walk up multiple
* AppendRelInfos. But stop if we hit a parent that is not
* RTE_RELATION --- that's a flattened UNION ALL subquery, not
* an inheritance parent.
*/
while (appinfo &&
planner_rt_fetch(appinfo->parent_relid,
root)->rtekind == RTE_RELATION)
{
int parent_varattno;
found = false;
if (varattno <= 0 || varattno > appinfo->num_child_cols)
break; /* safety check */
parent_varattno = appinfo->parent_colnos[varattno - 1];
if (parent_varattno == 0)
break; /* Var is local to child */
varno = appinfo->parent_relid;
varattno = parent_varattno;
found = true;
/* If the parent is itself a child, continue up. */
appinfo = root->append_rel_array[varno];
}
/*
* In rare cases, the Var may be local to the child table, in
* which case, we've got to live with having no access to this
* column's stats.
*/
if (!found)
return;
/* Repeat the access check on this parent rel & column */
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
/*
* Fine to use the same userid as it's the same in all
* relations of a given inheritance tree.
*/
vardata->acl_ok =
rte->securityQuals == NIL &&
((pg_class_aclcheck(rte->relid, userid,
ACL_SELECT) == ACLCHECK_OK) ||
(pg_attribute_aclcheck(rte->relid, varattno, userid,
ACL_SELECT) == ACLCHECK_OK));
}
} }
else else
{ {
@ -6024,6 +5854,214 @@ examine_simple_variable(PlannerInfo *root, Var *var,
} }
} }
/*
* all_rows_selectable
* Test whether the user has permission to select all rows from a given
* relation.
*
* Inputs:
* root: the planner info
* varno: the index of the relation (assumed to be an RTE_RELATION)
* varattnos: the attributes for which permission is required, or NULL if
* whole-table access is required
*
* Returns true if the user has the required select permissions, and there are
* no securityQuals from security barrier views or RLS policies.
*
* Note that if the relation is an inheritance child relation, securityQuals
* and access permissions are checked against the inheritance root parent (the
* relation actually mentioned in the query) --- see the comments in
* expand_single_inheritance_child() for an explanation of why it has to be
* done this way.
*
* If varattnos is non-NULL, its attribute numbers should be offset by
* FirstLowInvalidHeapAttributeNumber so that system attributes can be
* checked. If varattnos is NULL, only table-level SELECT privileges are
* checked, not any column-level privileges.
*
* Note: if the relation is accessed via a view, this function actually tests
* whether the view owner has permission to select from the relation. To
* ensure that the current user has permission, it is also necessary to check
* that the current user has permission to select from the view, which we do
* at planner-startup --- see subquery_planner().
*
* This is exported so that other estimation functions can use it.
*/
bool
all_rows_selectable(PlannerInfo *root, Index varno, Bitmapset *varattnos)
{
RelOptInfo *rel = find_base_rel_noerr(root, varno);
RangeTblEntry *rte = planner_rt_fetch(varno, root);
Oid userid;
int varattno;
Assert(rte->rtekind == RTE_RELATION);
/*
* Determine the user ID to use for privilege checks (either the current
* user or the view owner, if we're accessing the table via a view).
*
* Normally the relation will have an associated RelOptInfo from which we
* can find the userid, but it might not if it's a RETURNING Var for an
* INSERT target relation. In that case use the RTEPermissionInfo
* associated with the RTE.
*
* If we navigate up to a parent relation, we keep using the same userid,
* since it's the same in all relations of a given inheritance tree.
*/
if (rel)
userid = rel->userid;
else
{
RTEPermissionInfo *perminfo;
perminfo = getRTEPermissionInfo(root->parse->rteperminfos, rte);
userid = perminfo->checkAsUser;
}
if (!OidIsValid(userid))
userid = GetUserId();
/*
* Permissions and securityQuals must be checked on the table actually
* mentioned in the query, so if this is an inheritance child, navigate up
* to the inheritance root parent. If the user can read the whole table
* or the required columns there, then they can read from the child table
* too. For per-column checks, we must find out which of the root
* parent's attributes the child relation's attributes correspond to.
*/
if (root->append_rel_array != NULL)
{
AppendRelInfo *appinfo;
appinfo = root->append_rel_array[varno];
/*
* Partitions are mapped to their immediate parent, not the root
* parent, so must be ready to walk up multiple AppendRelInfos. But
* stop if we hit a parent that is not RTE_RELATION --- that's a
* flattened UNION ALL subquery, not an inheritance parent.
*/
while (appinfo &&
planner_rt_fetch(appinfo->parent_relid,
root)->rtekind == RTE_RELATION)
{
Bitmapset *parent_varattnos = NULL;
/*
* For each child attribute, find the corresponding parent
* attribute. In rare cases, the attribute may be local to the
* child table, in which case, we've got to live with having no
* access to this column.
*/
varattno = -1;
while ((varattno = bms_next_member(varattnos, varattno)) >= 0)
{
AttrNumber attno;
AttrNumber parent_attno;
attno = varattno + FirstLowInvalidHeapAttributeNumber;
if (attno == InvalidAttrNumber)
{
/*
* Whole-row reference, so must map each column of the
* child to the parent table.
*/
for (attno = 1; attno <= appinfo->num_child_cols; attno++)
{
parent_attno = appinfo->parent_colnos[attno - 1];
if (parent_attno == 0)
return false; /* attr is local to child */
parent_varattnos =
bms_add_member(parent_varattnos,
parent_attno - FirstLowInvalidHeapAttributeNumber);
}
}
else
{
if (attno < 0)
{
/* System attnos are the same in all tables */
parent_attno = attno;
}
else
{
if (attno > appinfo->num_child_cols)
return false; /* safety check */
parent_attno = appinfo->parent_colnos[attno - 1];
if (parent_attno == 0)
return false; /* attr is local to child */
}
parent_varattnos =
bms_add_member(parent_varattnos,
parent_attno - FirstLowInvalidHeapAttributeNumber);
}
}
/* If the parent is itself a child, continue up */
varno = appinfo->parent_relid;
varattnos = parent_varattnos;
appinfo = root->append_rel_array[varno];
}
/* Perform the access check on this parent rel */
rte = planner_rt_fetch(varno, root);
Assert(rte->rtekind == RTE_RELATION);
}
/*
* For all rows to be accessible, there must be no securityQuals from
* security barrier views or RLS policies.
*/
if (rte->securityQuals != NIL)
return false;
/*
* Test for table-level SELECT privilege.
*
* If varattnos is non-NULL, this is sufficient to give access to all
* requested attributes, even for a child table, since we have verified
* that all required child columns have matching parent columns.
*
* If varattnos is NULL (whole-table access requested), this doesn't
* necessarily guarantee that the user can read all columns of a child
* table, but we allow it anyway (see comments in examine_variable()) and
* don't bother checking any column privileges.
*/
if (pg_class_aclcheck(rte->relid, userid, ACL_SELECT) == ACLCHECK_OK)
return true;
if (varattnos == NULL)
return false; /* whole-table access requested */
/*
* Don't have table-level SELECT privilege, so check per-column
* privileges.
*/
varattno = -1;
while ((varattno = bms_next_member(varattnos, varattno)) >= 0)
{
AttrNumber attno = varattno + FirstLowInvalidHeapAttributeNumber;
if (attno == InvalidAttrNumber)
{
/* Whole-row reference, so must have access to all columns */
if (pg_attribute_aclcheck_all(rte->relid, userid, ACL_SELECT,
ACLMASK_ALL) != ACLCHECK_OK)
return false;
}
else
{
if (pg_attribute_aclcheck(rte->relid, attno, userid,
ACL_SELECT) != ACLCHECK_OK)
return false;
}
}
/* If we reach here, have all required column privileges */
return true;
}
/* /*
* examine_indexcol_variable * examine_indexcol_variable
* Try to look up statistical data about an index column/expression. * Try to look up statistical data about an index column/expression.
@ -6112,15 +6150,17 @@ examine_indexcol_variable(PlannerInfo *root, IndexOptInfo *index,
/* /*
* Check whether it is permitted to call func_oid passing some of the * Check whether it is permitted to call func_oid passing some of the
* pg_statistic data in vardata. We allow this either if the user has SELECT * pg_statistic data in vardata. We allow this if either of the following
* privileges on the table or column underlying the pg_statistic data or if * conditions is met: (1) the user has SELECT privileges on the table or
* the function is marked leakproof. * column underlying the pg_statistic data and there are no securityQuals from
* security barrier views or RLS policies, or (2) the function is marked
* leakproof.
*/ */
bool bool
statistic_proc_security_check(VariableStatData *vardata, Oid func_oid) statistic_proc_security_check(VariableStatData *vardata, Oid func_oid)
{ {
if (vardata->acl_ok) if (vardata->acl_ok)
return true; return true; /* have SELECT privs and no securityQuals */
if (!OidIsValid(func_oid)) if (!OidIsValid(func_oid))
return false; return false;

1
src/include/executor/executor.h
Unescape View File

@ -241,6 +241,7 @@ extern void standard_ExecutorEnd(QueryDesc *queryDesc);
extern void ExecutorRewind(QueryDesc *queryDesc); extern void ExecutorRewind(QueryDesc *queryDesc);
extern bool ExecCheckPermissions(List *rangeTable, extern bool ExecCheckPermissions(List *rangeTable,
List *rteperminfos, bool ereport_on_violation); List *rteperminfos, bool ereport_on_violation);
extern bool ExecCheckOneRelPerms(RTEPermissionInfo *perminfo);
extern void CheckValidResultRel(ResultRelInfo *resultRelInfo, CmdType operation, extern void CheckValidResultRel(ResultRelInfo *resultRelInfo, CmdType operation,
List *mergeActions); List *mergeActions);
extern void InitResultRelInfo(ResultRelInfo *resultRelInfo, extern void InitResultRelInfo(ResultRelInfo *resultRelInfo,

4
src/include/utils/selfuncs.h
Unescape View File

@ -96,7 +96,8 @@ typedef struct VariableStatData
int32 atttypmod; /* actual typmod (after stripping relabel) */ int32 atttypmod; /* actual typmod (after stripping relabel) */
bool isunique; /* matches unique index, DISTINCT or GROUP-BY bool isunique; /* matches unique index, DISTINCT or GROUP-BY
* clause */ * clause */
bool acl_ok; /* result of ACL check on table or column */ bool acl_ok; /* true if user has SELECT privilege on all
* rows from the table or column */
} VariableStatData; } VariableStatData;
#define ReleaseVariableStats(vardata) \ #define ReleaseVariableStats(vardata) \
@ -153,6 +154,7 @@ extern PGDLLIMPORT get_index_stats_hook_type get_index_stats_hook;
extern void examine_variable(PlannerInfo *root, Node *node, int varRelid, extern void examine_variable(PlannerInfo *root, Node *node, int varRelid,
VariableStatData *vardata); VariableStatData *vardata);
extern bool all_rows_selectable(PlannerInfo *root, Index varno, Bitmapset *varattnos);
extern bool statistic_proc_security_check(VariableStatData *vardata, Oid func_oid); extern bool statistic_proc_security_check(VariableStatData *vardata, Oid func_oid);
extern bool get_restriction_variable(PlannerInfo *root, List *args, extern bool get_restriction_variable(PlannerInfo *root, List *args,
int varRelid, int varRelid,

13
src/test/regress/expected/privileges.out
Unescape View File

@ -513,8 +513,6 @@ CREATE VIEW atest12v AS
SELECT * FROM atest12 WHERE b <<< 5; SELECT * FROM atest12 WHERE b <<< 5;
CREATE VIEW atest12sbv WITH (security_barrier=true) AS CREATE VIEW atest12sbv WITH (security_barrier=true) AS
SELECT * FROM atest12 WHERE b <<< 5; SELECT * FROM atest12 WHERE b <<< 5;
GRANT SELECT ON atest12v TO PUBLIC;
GRANT SELECT ON atest12sbv TO PUBLIC;
-- This plan should use nestloop, knowing that few rows will be selected. -- This plan should use nestloop, knowing that few rows will be selected.
EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b; EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;
QUERY PLAN QUERY PLAN
@ -560,9 +558,18 @@ CREATE FUNCTION leak2(integer,integer) RETURNS boolean
LANGUAGE plpgsql immutable; LANGUAGE plpgsql immutable;
CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer, CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer,
restrict = scalargtsel); restrict = scalargtsel);
-- This should not show any "leak" notices before failing. -- These should not show any "leak" notices before failing.
EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0; EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0;
ERROR: permission denied for table atest12 ERROR: permission denied for table atest12
EXPLAIN (COSTS OFF) SELECT * FROM atest12v WHERE a >>> 0;
ERROR: permission denied for view atest12v
EXPLAIN (COSTS OFF) SELECT * FROM atest12sbv WHERE a >>> 0;
ERROR: permission denied for view atest12sbv
-- Now regress_priv_user1 grants access to regress_priv_user2 via the views.
SET SESSION AUTHORIZATION regress_priv_user1;
GRANT SELECT ON atest12v TO PUBLIC;
GRANT SELECT ON atest12sbv TO PUBLIC;
SET SESSION AUTHORIZATION regress_priv_user2;
-- These plans should continue to use a nestloop, since they execute with the -- These plans should continue to use a nestloop, since they execute with the
-- privileges of the view owner. -- privileges of the view owner.
EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b; EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;

73
src/test/regress/expected/rowsecurity.out
Unescape View File

@ -4506,7 +4506,7 @@ RESET SESSION AUTHORIZATION;
DROP VIEW rls_view; DROP VIEW rls_view;
DROP TABLE rls_tbl; DROP TABLE rls_tbl;
DROP TABLE ref_tbl; DROP TABLE ref_tbl;
-- Leaky operator test -- Leaky operator tests
CREATE TABLE rls_tbl (a int); CREATE TABLE rls_tbl (a int);
INSERT INTO rls_tbl SELECT x/10 FROM generate_series(1, 100) x; INSERT INTO rls_tbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_tbl; ANALYZE rls_tbl;
@ -4530,9 +4530,80 @@ EXPLAIN (COSTS OFF) SELECT * FROM rls_tbl WHERE a <<< 1000 or a <<< 900;
One-Time Filter: false One-Time Filter: false
(2 rows) (2 rows)
RESET SESSION AUTHORIZATION;
CREATE TABLE rls_child_tbl () INHERITS (rls_tbl);
INSERT INTO rls_child_tbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_child_tbl;
CREATE TABLE rls_ptbl (a int) PARTITION BY RANGE (a);
CREATE TABLE rls_part PARTITION OF rls_ptbl FOR VALUES FROM (-100) TO (100);
INSERT INTO rls_ptbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_ptbl, rls_part;
ALTER TABLE rls_ptbl ENABLE ROW LEVEL SECURITY;
ALTER TABLE rls_part ENABLE ROW LEVEL SECURITY;
GRANT SELECT ON rls_ptbl TO regress_rls_alice;
GRANT SELECT ON rls_part TO regress_rls_alice;
CREATE POLICY p1 ON rls_tbl USING (a < 0);
CREATE POLICY p2 ON rls_ptbl USING (a < 0);
CREATE POLICY p3 ON rls_part USING (a < 0);
SET SESSION AUTHORIZATION regress_rls_alice;
SELECT * FROM rls_tbl WHERE a <<< 1000;
a
---
(0 rows)
SELECT * FROM rls_child_tbl WHERE a <<< 1000;
ERROR: permission denied for table rls_child_tbl
SELECT * FROM rls_ptbl WHERE a <<< 1000;
a
---
(0 rows)
SELECT * FROM rls_part WHERE a <<< 1000;
a
---
(0 rows)
SELECT * FROM (SELECT * FROM rls_tbl UNION ALL
SELECT * FROM rls_tbl) t WHERE a <<< 1000;
a
---
(0 rows)
SELECT * FROM (SELECT * FROM rls_child_tbl UNION ALL
SELECT * FROM rls_child_tbl) t WHERE a <<< 1000;
ERROR: permission denied for table rls_child_tbl
RESET SESSION AUTHORIZATION;
REVOKE SELECT ON rls_tbl FROM regress_rls_alice;
CREATE VIEW rls_tbl_view AS SELECT * FROM rls_tbl;
ALTER TABLE rls_child_tbl ENABLE ROW LEVEL SECURITY;
GRANT SELECT ON rls_child_tbl TO regress_rls_alice;
CREATE POLICY p4 ON rls_child_tbl USING (a < 0);
SET SESSION AUTHORIZATION regress_rls_alice;
SELECT * FROM rls_tbl WHERE a <<< 1000;
ERROR: permission denied for table rls_tbl
SELECT * FROM rls_tbl_view WHERE a <<< 1000;
ERROR: permission denied for view rls_tbl_view
SELECT * FROM rls_child_tbl WHERE a <<< 1000;
a
---
(0 rows)
SELECT * FROM (SELECT * FROM rls_tbl UNION ALL
SELECT * FROM rls_tbl) t WHERE a <<< 1000;
ERROR: permission denied for table rls_tbl
SELECT * FROM (SELECT * FROM rls_child_tbl UNION ALL
SELECT * FROM rls_child_tbl) t WHERE a <<< 1000;
a
---
(0 rows)
DROP OPERATOR <<< (int, int); DROP OPERATOR <<< (int, int);
DROP FUNCTION op_leak(int, int); DROP FUNCTION op_leak(int, int);
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
DROP TABLE rls_part;
DROP TABLE rls_ptbl;
DROP TABLE rls_child_tbl;
DROP VIEW rls_tbl_view;
DROP TABLE rls_tbl; DROP TABLE rls_tbl;
-- Bug #16006: whole-row Vars in a policy don't play nice with sub-selects -- Bug #16006: whole-row Vars in a policy don't play nice with sub-selects
SET SESSION AUTHORIZATION regress_rls_alice; SET SESSION AUTHORIZATION regress_rls_alice;

71
src/test/regress/expected/stats_ext.out
Unescape View File

@ -3275,9 +3275,17 @@ CREATE FUNCTION op_leak(int, int) RETURNS bool
LANGUAGE plpgsql; LANGUAGE plpgsql;
CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int, CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int,
restrict = scalarltsel); restrict = scalarltsel);
CREATE FUNCTION op_leak(record, record) RETURNS bool
AS 'BEGIN RAISE NOTICE ''op_leak => %, %'', $1, $2; RETURN $1 < $2; END'
LANGUAGE plpgsql;
CREATE OPERATOR <<< (procedure = op_leak, leftarg = record, rightarg = record,
restrict = scalarltsel);
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_tbl ERROR: permission denied for table priv_test_tbl
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_tbl
SELECT * FROM tststats.priv_test_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Permission denied
ERROR: permission denied for table priv_test_tbl ERROR: permission denied for table priv_test_tbl
DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_tbl ERROR: permission denied for table priv_test_tbl
@ -3298,10 +3306,17 @@ SELECT * FROM tststats.priv_test_view WHERE a <<< 0 OR b <<< 0; -- Should not le
---+--- ---+---
(0 rows) (0 rows)
SELECT * FROM tststats.priv_test_view t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
a | b
---+---
(0 rows)
DELETE FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak DELETE FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- Grant table access, but hide all data with RLS -- Grant table access, but hide all data with RLS
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
ALTER TABLE tststats.priv_test_tbl ENABLE ROW LEVEL SECURITY; ALTER TABLE tststats.priv_test_tbl ENABLE ROW LEVEL SECURITY;
CREATE POLICY priv_test_tbl_pol ON tststats.priv_test_tbl USING (2 * a < 0);
GRANT SELECT, DELETE ON tststats.priv_test_tbl TO regress_stats_user1; GRANT SELECT, DELETE ON tststats.priv_test_tbl TO regress_stats_user1;
-- Should now have direct table access, but see nothing and leak nothing -- Should now have direct table access, but see nothing and leak nothing
SET SESSION AUTHORIZATION regress_stats_user1; SET SESSION AUTHORIZATION regress_stats_user1;
@ -3310,12 +3325,57 @@ SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not le
---+--- ---+---
(0 rows) (0 rows)
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; -- Should not leak
a | b
---+---
(0 rows)
SELECT * FROM tststats.priv_test_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
a | b a | b
---+--- ---+---
(0 rows) (0 rows)
DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- Create plain inheritance parent table with no access permissions
RESET SESSION AUTHORIZATION;
CREATE TABLE tststats.priv_test_parent_tbl (a int, b int);
ALTER TABLE tststats.priv_test_tbl INHERIT tststats.priv_test_parent_tbl;
-- Should not have access to parent, and should leak nothing
SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_parent_tbl
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 OR b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_parent_tbl
SELECT * FROM tststats.priv_test_parent_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Permission denied
ERROR: permission denied for table priv_test_parent_tbl
DELETE FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
ERROR: permission denied for table priv_test_parent_tbl
-- Grant table access to parent, but hide all data with RLS
RESET SESSION AUTHORIZATION;
ALTER TABLE tststats.priv_test_parent_tbl ENABLE ROW LEVEL SECURITY;
CREATE POLICY priv_test_parent_tbl_pol ON tststats.priv_test_parent_tbl USING (2 * a < 0);
GRANT SELECT, DELETE ON tststats.priv_test_parent_tbl TO regress_stats_user1;
-- Should now have direct table access to parent, but see nothing and leak nothing
SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
a | b
---+---
(0 rows)
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 OR b <<< 0; -- Should not leak
a | b
---+---
(0 rows)
SELECT * FROM tststats.priv_test_parent_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
a | b
---+---
(0 rows)
DELETE FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- privilege checks for pg_stats_ext and pg_stats_ext_exprs -- privilege checks for pg_stats_ext and pg_stats_ext_exprs
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
CREATE TABLE stats_ext_tbl (id INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY, col TEXT); CREATE TABLE stats_ext_tbl (id INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY, col TEXT);
@ -3361,11 +3421,14 @@ SELECT statistics_name, most_common_vals FROM pg_stats_ext_exprs x
-- Tidy up -- Tidy up
DROP OPERATOR <<< (int, int); DROP OPERATOR <<< (int, int);
DROP FUNCTION op_leak(int, int); DROP FUNCTION op_leak(int, int);
DROP OPERATOR <<< (record, record);
DROP FUNCTION op_leak(record, record);
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
DROP TABLE stats_ext_tbl; DROP TABLE stats_ext_tbl;
DROP SCHEMA tststats CASCADE; DROP SCHEMA tststats CASCADE;
NOTICE: drop cascades to 2 other objects NOTICE: drop cascades to 3 other objects
DETAIL: drop cascades to table tststats.priv_test_tbl DETAIL: drop cascades to table tststats.priv_test_parent_tbl
drop cascades to table tststats.priv_test_tbl
drop cascades to view tststats.priv_test_view drop cascades to view tststats.priv_test_view
DROP USER regress_stats_user1; DROP USER regress_stats_user1;
CREATE TABLE grouping_unique (x integer); CREATE TABLE grouping_unique (x integer);

12
src/test/regress/sql/privileges.sql
Unescape View File

@ -346,8 +346,6 @@ CREATE VIEW atest12v AS
SELECT * FROM atest12 WHERE b <<< 5; SELECT * FROM atest12 WHERE b <<< 5;
CREATE VIEW atest12sbv WITH (security_barrier=true) AS CREATE VIEW atest12sbv WITH (security_barrier=true) AS
SELECT * FROM atest12 WHERE b <<< 5; SELECT * FROM atest12 WHERE b <<< 5;
GRANT SELECT ON atest12v TO PUBLIC;
GRANT SELECT ON atest12sbv TO PUBLIC;
-- This plan should use nestloop, knowing that few rows will be selected. -- This plan should use nestloop, knowing that few rows will be selected.
EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b; EXPLAIN (COSTS OFF) SELECT * FROM atest12v x, atest12v y WHERE x.a = y.b;
@ -369,8 +367,16 @@ CREATE FUNCTION leak2(integer,integer) RETURNS boolean
CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer, CREATE OPERATOR >>> (procedure = leak2, leftarg = integer, rightarg = integer,
restrict = scalargtsel); restrict = scalargtsel);
-- This should not show any "leak" notices before failing. -- These should not show any "leak" notices before failing.
EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0; EXPLAIN (COSTS OFF) SELECT * FROM atest12 WHERE a >>> 0;
EXPLAIN (COSTS OFF) SELECT * FROM atest12v WHERE a >>> 0;
EXPLAIN (COSTS OFF) SELECT * FROM atest12sbv WHERE a >>> 0;
-- Now regress_priv_user1 grants access to regress_priv_user2 via the views.
SET SESSION AUTHORIZATION regress_priv_user1;
GRANT SELECT ON atest12v TO PUBLIC;
GRANT SELECT ON atest12sbv TO PUBLIC;
SET SESSION AUTHORIZATION regress_priv_user2;
-- These plans should continue to use a nestloop, since they execute with the -- These plans should continue to use a nestloop, since they execute with the
-- privileges of the view owner. -- privileges of the view owner.

51
src/test/regress/sql/rowsecurity.sql
Unescape View File

@ -2189,7 +2189,7 @@ DROP VIEW rls_view;
DROP TABLE rls_tbl; DROP TABLE rls_tbl;
DROP TABLE ref_tbl; DROP TABLE ref_tbl;
-- Leaky operator test -- Leaky operator tests
CREATE TABLE rls_tbl (a int); CREATE TABLE rls_tbl (a int);
INSERT INTO rls_tbl SELECT x/10 FROM generate_series(1, 100) x; INSERT INTO rls_tbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_tbl; ANALYZE rls_tbl;
@ -2205,9 +2205,58 @@ CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int,
restrict = scalarltsel); restrict = scalarltsel);
SELECT * FROM rls_tbl WHERE a <<< 1000; SELECT * FROM rls_tbl WHERE a <<< 1000;
EXPLAIN (COSTS OFF) SELECT * FROM rls_tbl WHERE a <<< 1000 or a <<< 900; EXPLAIN (COSTS OFF) SELECT * FROM rls_tbl WHERE a <<< 1000 or a <<< 900;
RESET SESSION AUTHORIZATION;
CREATE TABLE rls_child_tbl () INHERITS (rls_tbl);
INSERT INTO rls_child_tbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_child_tbl;
CREATE TABLE rls_ptbl (a int) PARTITION BY RANGE (a);
CREATE TABLE rls_part PARTITION OF rls_ptbl FOR VALUES FROM (-100) TO (100);
INSERT INTO rls_ptbl SELECT x/10 FROM generate_series(1, 100) x;
ANALYZE rls_ptbl, rls_part;
ALTER TABLE rls_ptbl ENABLE ROW LEVEL SECURITY;
ALTER TABLE rls_part ENABLE ROW LEVEL SECURITY;
GRANT SELECT ON rls_ptbl TO regress_rls_alice;
GRANT SELECT ON rls_part TO regress_rls_alice;
CREATE POLICY p1 ON rls_tbl USING (a < 0);
CREATE POLICY p2 ON rls_ptbl USING (a < 0);
CREATE POLICY p3 ON rls_part USING (a < 0);
SET SESSION AUTHORIZATION regress_rls_alice;
SELECT * FROM rls_tbl WHERE a <<< 1000;
SELECT * FROM rls_child_tbl WHERE a <<< 1000;
SELECT * FROM rls_ptbl WHERE a <<< 1000;
SELECT * FROM rls_part WHERE a <<< 1000;
SELECT * FROM (SELECT * FROM rls_tbl UNION ALL
SELECT * FROM rls_tbl) t WHERE a <<< 1000;
SELECT * FROM (SELECT * FROM rls_child_tbl UNION ALL
SELECT * FROM rls_child_tbl) t WHERE a <<< 1000;
RESET SESSION AUTHORIZATION;
REVOKE SELECT ON rls_tbl FROM regress_rls_alice;
CREATE VIEW rls_tbl_view AS SELECT * FROM rls_tbl;
ALTER TABLE rls_child_tbl ENABLE ROW LEVEL SECURITY;
GRANT SELECT ON rls_child_tbl TO regress_rls_alice;
CREATE POLICY p4 ON rls_child_tbl USING (a < 0);
SET SESSION AUTHORIZATION regress_rls_alice;
SELECT * FROM rls_tbl WHERE a <<< 1000;
SELECT * FROM rls_tbl_view WHERE a <<< 1000;
SELECT * FROM rls_child_tbl WHERE a <<< 1000;
SELECT * FROM (SELECT * FROM rls_tbl UNION ALL
SELECT * FROM rls_tbl) t WHERE a <<< 1000;
SELECT * FROM (SELECT * FROM rls_child_tbl UNION ALL
SELECT * FROM rls_child_tbl) t WHERE a <<< 1000;
DROP OPERATOR <<< (int, int); DROP OPERATOR <<< (int, int);
DROP FUNCTION op_leak(int, int); DROP FUNCTION op_leak(int, int);
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
DROP TABLE rls_part;
DROP TABLE rls_ptbl;
DROP TABLE rls_child_tbl;
DROP VIEW rls_tbl_view;
DROP TABLE rls_tbl; DROP TABLE rls_tbl;
-- Bug #16006: whole-row Vars in a policy don't play nice with sub-selects -- Bug #16006: whole-row Vars in a policy don't play nice with sub-selects

45
src/test/regress/sql/stats_ext.sql
Unescape View File

@ -1647,8 +1647,15 @@ CREATE FUNCTION op_leak(int, int) RETURNS bool
LANGUAGE plpgsql; LANGUAGE plpgsql;
CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int, CREATE OPERATOR <<< (procedure = op_leak, leftarg = int, rightarg = int,
restrict = scalarltsel); restrict = scalarltsel);
CREATE FUNCTION op_leak(record, record) RETURNS bool
AS 'BEGIN RAISE NOTICE ''op_leak => %, %'', $1, $2; RETURN $1 < $2; END'
LANGUAGE plpgsql;
CREATE OPERATOR <<< (procedure = op_leak, leftarg = record, rightarg = record,
restrict = scalarltsel);
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; -- Permission denied
SELECT * FROM tststats.priv_test_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Permission denied
DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
-- Grant access via a security barrier view, but hide all data -- Grant access via a security barrier view, but hide all data
@ -1661,19 +1668,51 @@ GRANT SELECT, DELETE ON tststats.priv_test_view TO regress_stats_user1;
SET SESSION AUTHORIZATION regress_stats_user1; SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak SELECT * FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_view WHERE a <<< 0 OR b <<< 0; -- Should not leak SELECT * FROM tststats.priv_test_view WHERE a <<< 0 OR b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_view t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
DELETE FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak DELETE FROM tststats.priv_test_view WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- Grant table access, but hide all data with RLS -- Grant table access, but hide all data with RLS
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
ALTER TABLE tststats.priv_test_tbl ENABLE ROW LEVEL SECURITY; ALTER TABLE tststats.priv_test_tbl ENABLE ROW LEVEL SECURITY;
CREATE POLICY priv_test_tbl_pol ON tststats.priv_test_tbl USING (2 * a < 0);
GRANT SELECT, DELETE ON tststats.priv_test_tbl TO regress_stats_user1; GRANT SELECT, DELETE ON tststats.priv_test_tbl TO regress_stats_user1;
-- Should now have direct table access, but see nothing and leak nothing -- Should now have direct table access, but see nothing and leak nothing
SET SESSION AUTHORIZATION regress_stats_user1; SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; SELECT * FROM tststats.priv_test_tbl WHERE a <<< 0 OR b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak DELETE FROM tststats.priv_test_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- Create plain inheritance parent table with no access permissions
RESET SESSION AUTHORIZATION;
CREATE TABLE tststats.priv_test_parent_tbl (a int, b int);
ALTER TABLE tststats.priv_test_tbl INHERIT tststats.priv_test_parent_tbl;
-- Should not have access to parent, and should leak nothing
SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 OR b <<< 0; -- Permission denied
SELECT * FROM tststats.priv_test_parent_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Permission denied
DELETE FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Permission denied
-- Grant table access to parent, but hide all data with RLS
RESET SESSION AUTHORIZATION;
ALTER TABLE tststats.priv_test_parent_tbl ENABLE ROW LEVEL SECURITY;
CREATE POLICY priv_test_parent_tbl_pol ON tststats.priv_test_parent_tbl USING (2 * a < 0);
GRANT SELECT, DELETE ON tststats.priv_test_parent_tbl TO regress_stats_user1;
-- Should now have direct table access to parent, but see nothing and leak nothing
SET SESSION AUTHORIZATION regress_stats_user1;
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_parent_tbl WHERE a <<< 0 OR b <<< 0; -- Should not leak
SELECT * FROM tststats.priv_test_parent_tbl t
WHERE a <<< 0 AND (b <<< 0 OR t.* <<< (1, 1) IS NOT NULL); -- Should not leak
DELETE FROM tststats.priv_test_parent_tbl WHERE a <<< 0 AND b <<< 0; -- Should not leak
-- privilege checks for pg_stats_ext and pg_stats_ext_exprs -- privilege checks for pg_stats_ext and pg_stats_ext_exprs
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
CREATE TABLE stats_ext_tbl (id INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY, col TEXT); CREATE TABLE stats_ext_tbl (id INT PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY, col TEXT);
@ -1703,6 +1742,8 @@ SELECT statistics_name, most_common_vals FROM pg_stats_ext_exprs x
-- Tidy up -- Tidy up
DROP OPERATOR <<< (int, int); DROP OPERATOR <<< (int, int);
DROP FUNCTION op_leak(int, int); DROP FUNCTION op_leak(int, int);
DROP OPERATOR <<< (record, record);
DROP FUNCTION op_leak(record, record);
RESET SESSION AUTHORIZATION; RESET SESSION AUTHORIZATION;
DROP TABLE stats_ext_tbl; DROP TABLE stats_ext_tbl;
DROP SCHEMA tststats CASCADE; DROP SCHEMA tststats CASCADE;

Write Preview
Loading…
Cancel
Save