Skip to content

Commit 76123de

Browse files
tglsfdctglsfdc
committed
Fix improper interactions between session_authorization and role.
The SQL spec mandates that SET SESSION AUTHORIZATION implies SET ROLE NONE. We tried to implement that within the lowest-level functions that manipulate these settings, but that was a bad idea. In particular, guc.c assumes that it doesn't matter in what order it applies GUC variable updates, but that was not the case for these two variables. This problem, compounded by some hackish attempts to work around it, led to some security-grade issues: * Rolling back a transaction that had done SET SESSION AUTHORIZATION would revert to SET ROLE NONE, even if that had not been the previous state, so that the effective user ID might now be different from what it had been. * The same for SET SESSION AUTHORIZATION in a function SET clause. * If a parallel worker inspected current_setting('role'), it saw "none" even when it should see something else. Also, although the parallel worker startup code intended to cope with the current role's pg_authid row having disappeared, its implementation of that was incomplete so it would still fail. Fix by fully separating the miscinit.c functions that assign session_authorization from those that assign role. To implement the spec's requirement, teach set_config_option itself to perform "SET ROLE NONE" when it sets session_authorization. (This is undoubtedly ugly, but the alternatives seem worse. In particular, there's no way to do it within assign_session_authorization without incompatible changes in the API for GUC assign hooks.) Also, improve ParallelWorkerMain to directly set all the relevant user-ID variables instead of relying on some of them to get set indirectly. That allows us to survive not finding the pg_authid row during worker startup. In v16 and earlier, this includes back-patching 9987a7b which fixed a violation of GUC coding rules: SetSessionAuthorization is not an appropriate place to be throwing errors from. Security: CVE-2024-10978
1 parent 952ff31 commit 76123de

File tree

7 files changed

+341
-109
lines changed

7 files changed

+341
-109
lines changed

src/backend/access/transam/parallel.c

+27-9
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,15 @@ typedef struct FixedParallelState
8383
/* Fixed-size state that workers must restore. */
8484
Oid database_id;
8585
Oid authenticated_user_id;
86-
Oid current_user_id;
86+
Oid session_user_id;
8787
Oid outer_user_id;
88+
Oid current_user_id;
8889
Oid temp_namespace_id;
8990
Oid temp_toast_namespace_id;
9091
int sec_context;
91-
bool is_superuser;
92+
bool authenticated_user_is_superuser;
93+
bool session_user_is_superuser;
94+
bool role_is_superuser;
9295
PGPROC *parallel_master_pgproc;
9396
pid_t parallel_master_pid;
9497
BackendId parallel_master_backend_id;
@@ -330,9 +333,12 @@ InitializeParallelDSM(ParallelContext *pcxt)
330333
shm_toc_allocate(pcxt->toc, sizeof(FixedParallelState));
331334
fps->database_id = MyDatabaseId;
332335
fps->authenticated_user_id = GetAuthenticatedUserId();
336+
fps->session_user_id = GetSessionUserId();
333337
fps->outer_user_id = GetCurrentRoleId();
334-
fps->is_superuser = session_auth_is_superuser;
335338
GetUserIdAndSecContext(&fps->current_user_id, &fps->sec_context);
339+
fps->authenticated_user_is_superuser = GetAuthenticatedUserIsSuperuser();
340+
fps->session_user_is_superuser = GetSessionUserIsSuperuser();
341+
fps->role_is_superuser = session_auth_is_superuser;
336342
GetTempNamespaceState(&fps->temp_namespace_id,
337343
&fps->temp_toast_namespace_id);
338344
fps->parallel_master_pgproc = MyProc;
@@ -1395,6 +1401,18 @@ ParallelWorkerMain(Datum main_arg)
13951401

13961402
entrypt = LookupParallelWorkerFunction(library_name, function_name);
13971403

1404+
/*
1405+
* Restore current session authorization and role id. No verification
1406+
* happens here, we just blindly adopt the leader's state. Note that this
1407+
* has to happen before InitPostgres, since InitializeSessionUserId will
1408+
* not set these variables.
1409+
*/
1410+
SetAuthenticatedUserId(fps->authenticated_user_id,
1411+
fps->authenticated_user_is_superuser);
1412+
SetSessionAuthorization(fps->session_user_id,
1413+
fps->session_user_is_superuser);
1414+
SetCurrentRoleId(fps->outer_user_id, fps->role_is_superuser);
1415+
13981416
/* Restore database connection. */
13991417
BackgroundWorkerInitializeConnectionByOid(fps->database_id,
14001418
fps->authenticated_user_id,
@@ -1460,13 +1478,13 @@ ParallelWorkerMain(Datum main_arg)
14601478
InvalidateSystemCaches();
14611479

14621480
/*
1463-
* Restore current role id. Skip verifying whether session user is
1464-
* allowed to become this role and blindly restore the leader's state for
1465-
* current role.
1481+
* Restore current user ID and security context. No verification happens
1482+
* here, we just blindly adopt the leader's state. We can't do this till
1483+
* after restoring GUCs, else we'll get complaints about restoring
1484+
* session_authorization and role. (In effect, we're assuming that all
1485+
* the restored values are okay to set, even if we are now inside a
1486+
* restricted context.)
14661487
*/
1467-
SetCurrentRoleId(fps->outer_user_id, fps->is_superuser);
1468-
1469-
/* Restore user ID and security context. */
14701488
SetUserIdAndSecContext(fps->current_user_id, fps->sec_context);
14711489

14721490
/* Restore temp-namespace state to ensure search path matches leader's. */

src/backend/commands/variable.c

+72-29
Original file line numberDiff line numberDiff line change
@@ -753,40 +753,78 @@ check_session_authorization(char **newval, void **extra, GucSource source)
753753
if (*newval == NULL)
754754
return true;
755755

756-
if (!IsTransactionState())
756+
if (InitializingParallelWorker)
757757
{
758758
/*
759-
* Can't do catalog lookups, so fail. The result of this is that
760-
* session_authorization cannot be set in postgresql.conf, which seems
761-
* like a good thing anyway, so we don't work hard to avoid it.
759+
* In parallel worker initialization, we want to copy the leader's
760+
* state even if it no longer matches the catalogs. ParallelWorkerMain
761+
* already installed the correct role OID and superuser state.
762762
*/
763-
return false;
763+
roleid = GetSessionUserId();
764+
is_superuser = GetSessionUserIsSuperuser();
764765
}
765-
766-
/* Look up the username */
767-
roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval));
768-
if (!HeapTupleIsValid(roleTup))
766+
else
769767
{
768+
if (!IsTransactionState())
769+
{
770+
/*
771+
* Can't do catalog lookups, so fail. The result of this is that
772+
* session_authorization cannot be set in postgresql.conf, which
773+
* seems like a good thing anyway, so we don't work hard to avoid
774+
* it.
775+
*/
776+
return false;
777+
}
778+
770779
/*
771780
* When source == PGC_S_TEST, we don't throw a hard error for a
772-
* nonexistent user name, only a NOTICE. See comments in guc.h.
781+
* nonexistent user name or insufficient privileges, only a NOTICE.
782+
* See comments in guc.h.
773783
*/
774-
if (source == PGC_S_TEST)
784+
785+
/* Look up the username */
786+
roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval));
787+
if (!HeapTupleIsValid(roleTup))
775788
{
776-
ereport(NOTICE,
777-
(errcode(ERRCODE_UNDEFINED_OBJECT),
778-
errmsg("role \"%s\" does not exist", *newval)));
779-
return true;
789+
if (source == PGC_S_TEST)
790+
{
791+
ereport(NOTICE,
792+
(errcode(ERRCODE_UNDEFINED_OBJECT),
793+
errmsg("role \"%s\" does not exist", *newval)));
794+
return true;
795+
}
796+
GUC_check_errmsg("role \"%s\" does not exist", *newval);
797+
return false;
780798
}
781-
GUC_check_errmsg("role \"%s\" does not exist", *newval);
782-
return false;
783-
}
784799

785-
roleform = (Form_pg_authid) GETSTRUCT(roleTup);
786-
roleid = roleform->oid;
787-
is_superuser = roleform->rolsuper;
800+
roleform = (Form_pg_authid) GETSTRUCT(roleTup);
801+
roleid = roleform->oid;
802+
is_superuser = roleform->rolsuper;
788803

789-
ReleaseSysCache(roleTup);
804+
ReleaseSysCache(roleTup);
805+
806+
/*
807+
* Only superusers may SET SESSION AUTHORIZATION a role other than
808+
* itself. Note that in case of multiple SETs in a single session, the
809+
* original authenticated user's superuserness is what matters.
810+
*/
811+
if (roleid != GetAuthenticatedUserId() &&
812+
!GetAuthenticatedUserIsSuperuser())
813+
{
814+
if (source == PGC_S_TEST)
815+
{
816+
ereport(NOTICE,
817+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
818+
errmsg("permission will be denied to set session authorization \"%s\"",
819+
*newval)));
820+
return true;
821+
}
822+
GUC_check_errcode(ERRCODE_INSUFFICIENT_PRIVILEGE);
823+
GUC_check_errmsg("permission denied to set session authorization \"%s\"",
824+
*newval);
825+
return false;
826+
}
827+
}
790828

791829
/* Set up "extra" struct for assign_session_authorization to use */
792830
myextra = (role_auth_extra *) malloc(sizeof(role_auth_extra));
@@ -836,6 +874,16 @@ check_role(char **newval, void **extra, GucSource source)
836874
roleid = InvalidOid;
837875
is_superuser = false;
838876
}
877+
else if (InitializingParallelWorker)
878+
{
879+
/*
880+
* In parallel worker initialization, we want to copy the leader's
881+
* state even if it no longer matches the catalogs. ParallelWorkerMain
882+
* already installed the correct role OID and superuser state.
883+
*/
884+
roleid = GetCurrentRoleId();
885+
is_superuser = session_auth_is_superuser;
886+
}
839887
else
840888
{
841889
if (!IsTransactionState())
@@ -875,13 +923,8 @@ check_role(char **newval, void **extra, GucSource source)
875923

876924
ReleaseSysCache(roleTup);
877925

878-
/*
879-
* Verify that session user is allowed to become this role, but skip
880-
* this in parallel mode, where we must blindly recreate the parallel
881-
* leader's state.
882-
*/
883-
if (!InitializingParallelWorker &&
884-
!is_member_of_role(GetSessionUserId(), roleid))
926+
/* Verify that session user is allowed to become this role */
927+
if (!is_member_of_role(GetSessionUserId(), roleid))
885928
{
886929
if (source == PGC_S_TEST)
887930
{

0 commit comments

Comments
 (0)