Skip to content

Commit f4f5d27

Browse files
tglsfdctglsfdc
committed
Parallel workers use AuthenticatedUserId for connection privilege checks.
Commit 5a2fed9 had an unexpected side-effect: the parallel worker launched for the new test case would fail if it couldn't use a superuser-reserved connection slot. The reason that test failed while all our pre-existing ones worked is that the connection privilege tests in InitPostgres had been based on the superuserness of the leader's AuthenticatedUserId, but after the rearrangements of 5a2fed9 we were testing the superuserness of CurrentUserId, which the new test case deliberately made to be a non-superuser. This all seems very accidental and probably not the behavior we really want, but a security patch is no time to be redesigning things. Pending some discussion about desirable semantics, hack it so that InitPostgres continues to pay attention to the superuserness of AuthenticatedUserId when starting a parallel worker. Nathan Bossart and Tom Lane, per buildfarm member sawshark. Security: CVE-2024-10978
1 parent 8d19f3f commit f4f5d27

File tree

1 file changed

+18
-1
lines changed

1 file changed

+18
-1
lines changed

src/backend/utils/init/postinit.c

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
#include "access/genam.h"
2323
#include "access/heapam.h"
2424
#include "access/htup_details.h"
25+
#include "access/parallel.h"
2526
#include "access/session.h"
2627
#include "access/tableam.h"
2728
#include "access/xact.h"
@@ -914,7 +915,23 @@ InitPostgres(const char *in_dbname, Oid dboid,
914915
{
915916
InitializeSessionUserId(username, useroid,
916917
(flags & INIT_PG_OVERRIDE_ROLE_LOGIN) != 0);
917-
am_superuser = superuser();
918+
919+
/*
920+
* In a parallel worker, set am_superuser based on the
921+
* authenticated user ID, not the current role. This is pretty
922+
* dubious but it matches our historical behavior. Note that this
923+
* value of am_superuser is used only for connection-privilege
924+
* checks here and in CheckMyDatabase (we won't reach
925+
* process_startup_options in a background worker).
926+
*
927+
* In other cases, there's been no opportunity for the current
928+
* role to diverge from the authenticated user ID yet, so we can
929+
* just rely on superuser() and avoid an extra catalog lookup.
930+
*/
931+
if (InitializingParallelWorker)
932+
am_superuser = superuser_arg(GetAuthenticatedUserId());
933+
else
934+
am_superuser = superuser();
918935
}
919936
}
920937
else

0 commit comments

Comments
 (0)