open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Again match pg_user_mappings to information_schema.user_mapping_options.

Browse Source 
Commit 3eefc51053 claimed to make
pg_user_mappings enforce the qualifications user_mapping_options had
been enforcing, but its removal of a longstanding restriction left them
distinct when the current user is the subject of a mapping yet has no
server privileges.  user_mapping_options emits no rows for such a
mapping, but pg_user_mappings includes full umoptions.  Change
pg_user_mappings to show null for umoptions.  Back-patch to 9.2, like
the above commit.

Reviewed by Tom Lane.  Reported by Jeff Janes.

Security: CVE-2017-7547
pull/24/head
Noah Misch 8 years ago
parent bf6b9e9444
commit e568e1eee4
5 changed files with 61 additions and 35 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 32
      doc/src/sgml/catalogs.sgml
  2. 4
      src/backend/catalog/system_views.sql
  3. 39
      src/test/regress/expected/foreign_data.out
  4. 2
      src/test/regress/expected/rules.out
  5. 19
      src/test/regress/sql/foreign_data.sql

32
doc/src/sgml/catalogs.sgml
Unescape View File

@ -11099,17 +11099,37 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry><type>text[]</type></entry>
<entry></entry>
<entry>
User mapping specific options, as <quote>keyword=value</>
strings. This column will show as null unless the current user
is the user being mapped, or the mapping is for
<literal>PUBLIC</literal> and the current user is the server
owner, or the current user is a superuser. The intent is
to protect password information stored as user mapping option.
User mapping specific options, as <quote>keyword=value</> strings
</entry>
</row>
</tbody>
</tgroup>
</table>
<para>
To protect password information stored as a user mapping option,
the <structfield>umoptions</structfield> column will read as null
unless one of the following applies:
<itemizedlist>
<listitem>
<para>
current user is the user being mapped, and owns the server or
holds <literal>USAGE</> privilege on it
</para>
</listitem>
<listitem>
<para>
current user is the server owner and mapping is for <literal>PUBLIC</>
</para>
</listitem>
<listitem>
<para>
current user is a superuser
</para>
</listitem>
</itemizedlist>
</para>
</sect1>

4
src/backend/catalog/system_views.sql
Unescape View File

@ -910,7 +910,9 @@ CREATE VIEW pg_user_mappings AS
ELSE
A.rolname
END AS usename,
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
AND (pg_has_role(S.srvowner, 'USAGE')
OR has_server_privilege(S.oid, 'USAGE')))
OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
THEN U.umoptions

39
src/test/regress/expected/foreign_data.out
Unescape View File

@ -1185,10 +1185,11 @@ ERROR: permission denied for foreign-data wrapper foo
ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE;
NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for public on server s9
drop cascades to user mapping for regress_unprivileged_role on server s9
\set VERBOSITY default
RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO regress_unprivileged_role;
@ -1204,13 +1205,14 @@ ERROR: must be owner of foreign server s9
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
-- owner of server can see option fields
CREATE USER MAPPING FOR regress_unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see some option fields
\deu+
List of user mappings
Server | User name | FDW options
--------+---------------------------+-------------------
s10 | public | ("user" 'secret')
s10 | regress_unprivileged_role |
s4 | regress_foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
@ -1218,15 +1220,16 @@ GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
s8 | regress_foreign_data_user |
s9 | regress_unprivileged_role |
t1 | public | (modified '1')
(8 rows)
(9 rows)
RESET ROLE;
-- superuser can see option fields
-- superuser can see all option fields
\deu+
List of user mappings
Server | User name | FDW options
--------+---------------------------+---------------------
s10 | public | ("user" 'secret')
s10 | regress_unprivileged_role | ("user" 'secret')
s4 | regress_foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
@ -1234,15 +1237,16 @@ RESET ROLE;
s8 | regress_foreign_data_user | (password 'public')
s9 | regress_unprivileged_role |
t1 | public | (modified '1')
(8 rows)
(9 rows)
-- unprivileged user cannot see option fields
-- unprivileged user cannot see any option field
SET ROLE regress_unprivileged_role;
\deu+
List of user mappings
Server | User name | FDW options
--------+---------------------------+-------------
s10 | public |
s10 | regress_unprivileged_role |
s4 | regress_foreign_data_user |
s5 | regress_test_role |
s6 | regress_test_role |
@ -1250,11 +1254,13 @@ SET ROLE regress_unprivileged_role;
s8 | regress_foreign_data_user |
s9 | regress_unprivileged_role |
t1 | public |
(8 rows)
(9 rows)
RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE;
NOTICE: drop cascades to user mapping for public on server s10
NOTICE: drop cascades to 2 other objects
\set VERBOSITY default
-- Triggers
CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
BEGIN
@ -1596,15 +1602,12 @@ Inherits: pt1
Child tables: ct3,
ft3
\set VERBOSITY terse
DROP FOREIGN TABLE ft2; -- ERROR
ERROR: cannot drop foreign table ft2 because other objects depend on it
DETAIL: table ct3 depends on foreign table ft2
foreign table ft3 depends on foreign table ft2
HINT: Use DROP ... CASCADE to drop the dependent objects too.
DROP FOREIGN TABLE ft2 CASCADE;
NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to table ct3
drop cascades to foreign table ft3
\set VERBOSITY default
CREATE FOREIGN TABLE ft2 (
c1 integer NOT NULL,
c2 text,
@ -2026,16 +2029,12 @@ owner of user mapping for regress_test_role on server s6
DROP SERVER t1 CASCADE;
NOTICE: drop cascades to user mapping for public on server t1
DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE;
NOTICE: drop cascades to 5 other objects
\set VERBOSITY default
DROP SERVER s8 CASCADE;
NOTICE: drop cascades to 2 other objects
DETAIL: drop cascades to user mapping for regress_foreign_data_user on server s8
drop cascades to user mapping for public on server s8
\set VERBOSITY default
DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role;
DROP ROLE regress_unprivileged_role; -- ERROR

2
src/test/regress/expected/rules.out
Unescape View File

@ -2228,7 +2228,7 @@ pg_user_mappings| SELECT u.oid AS umid,
ELSE a.rolname
END AS usename,
CASE
WHEN (((u.umuser <> (0)::oid) AND (a.rolname = CURRENT_USER)) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper
WHEN (((u.umuser <> (0)::oid) AND (a.rolname = CURRENT_USER) AND (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text))) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper
FROM pg_authid
WHERE (pg_authid.rolname = CURRENT_USER))) THEN u.umoptions
ELSE NULL::text[]

19
src/test/regress/sql/foreign_data.sql
Unescape View File

@ -484,7 +484,10 @@ CREATE SERVER s10 FOREIGN DATA WRAPPER foo; -- ERROR
ALTER SERVER s9 VERSION '1.1';
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role;
CREATE USER MAPPING FOR current_user SERVER s9;
-- We use terse mode to avoid ordering issues in cascade detail output.
\set VERBOSITY terse
DROP SERVER s9 CASCADE;
\set VERBOSITY default
RESET ROLE;
CREATE SERVER s9 FOREIGN DATA WRAPPER foo;
GRANT USAGE ON FOREIGN SERVER s9 TO regress_unprivileged_role;
@ -498,17 +501,19 @@ DROP SERVER s9 CASCADE; -- ERROR
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO regress_unprivileged_role;
-- owner of server can see option fields
CREATE USER MAPPING FOR regress_unprivileged_role SERVER s10 OPTIONS (user 'secret');
-- owner of server can see some option fields
\deu+
RESET ROLE;
-- superuser can see option fields
-- superuser can see all option fields
\deu+
-- unprivileged user cannot see option fields
-- unprivileged user cannot see any option field
SET ROLE regress_unprivileged_role;
\deu+
RESET ROLE;
\set VERBOSITY terse
DROP SERVER s10 CASCADE;
\set VERBOSITY default
-- Triggers
CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$
@ -638,8 +643,10 @@ SELECT relname, conname, contype, conislocal, coninhcount, connoinherit
-- child does not inherit NO INHERIT constraints
\d+ pt1
\d+ ft2
\set VERBOSITY terse
DROP FOREIGN TABLE ft2; -- ERROR
DROP FOREIGN TABLE ft2 CASCADE;
\set VERBOSITY default
CREATE FOREIGN TABLE ft2 (
c1 integer NOT NULL,
c2 text,
@ -784,12 +791,10 @@ DROP SCHEMA foreign_schema CASCADE;
DROP ROLE regress_test_role; -- ERROR
DROP SERVER t1 CASCADE;
DROP USER MAPPING FOR regress_test_role SERVER s6;
-- This test causes some order dependent cascade detail output,
-- so switch to terse mode for it.
\set VERBOSITY terse
DROP FOREIGN DATA WRAPPER foo CASCADE;
\set VERBOSITY default
DROP SERVER s8 CASCADE;
\set VERBOSITY default
DROP ROLE regress_test_indirect;
DROP ROLE regress_test_role;
DROP ROLE regress_unprivileged_role; -- ERROR

Write Preview
Loading…
Cancel
Save