Make REPLICATION privilege checks test current user not authenticated user.

The pg_start_backup() and pg_stop_backup() functions checked the privileges
of the initially-authenticated user rather than the current user, which is
wrong.  For example, a user-defined index function could successfully call
these functions when executed by ANALYZE within autovacuum.  This could
allow an attacker with valid but low-privilege database access to interfere
with creation of routine backups.  Reported and fixed by Noah Misch.

Security: CVE-2013-1901

diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 859df783e6b3a4d7609ff925cf5c4b29b62a031d..4c96afa0f3cf4e5da9d64d4696f62f643ab6d2b7 100644 (file)
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -8982,7 +8982,7 @@ do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile)
        FILE       *fp;
        StringInfoData labelfbuf;
 
-       if (!superuser() && !is_authenticated_user_replication_role())
+       if (!superuser() && !has_rolreplication(GetUserId()))
                ereport(ERROR,
                                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                   errmsg("must be superuser or replication role to run a backup")));
@@ -9261,7 +9261,7 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive)
        bool            reported_waiting = false;
        char       *remaining;
 
-       if (!superuser() && !is_authenticated_user_replication_role())
+       if (!superuser() && !has_rolreplication(GetUserId()))
                ereport(ERROR,
                                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                 (errmsg("must be superuser or replication role to run a backup"))));

diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c
index f6cd0c067593af6df3ff44db6768d0c811b4627f..25cbf60e6578197def07d6fa6a25963cbd4c1d00 100644 (file)
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -389,15 +389,15 @@ SetUserIdAndContext(Oid userid, bool sec_def_context)
 
 
 /*
- * Check if the authenticated user is a replication role
+ * Check whether specified role has explicit REPLICATION privilege
  */
 bool
-is_authenticated_user_replication_role(void)
+has_rolreplication(Oid roleid)
 {
        bool            result = false;
        HeapTuple       utup;
 
-       utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(AuthenticatedUserId));
+       utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
        if (HeapTupleIsValid(utup))
        {
                result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;

diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index dfe338c2bfefe9d7a8d3a918dbd760e877b5da9c..efb48d92ec293dffd60fd7ede1e8534bdb4dbf17 100644 (file)
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -669,7 +669,7 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
                Assert(!bootstrap);
 
                /* must have authenticated as a replication role */
-               if (!is_authenticated_user_replication_role())
+               if (!has_rolreplication(GetUserId()))
                        ereport(FATAL,
                                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                                         errmsg("must be replication role to start walsender")));

diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index 29363ead1a0ae7c9d641dd6b70ba1c09967f7116..82af9ab89fa5cdcb73954771ffb8ef3c03d5cc57 100644 (file)
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -395,7 +395,7 @@ extern void ValidatePgVersion(const char *path);
 extern void process_shared_preload_libraries(void);
 extern void process_local_preload_libraries(void);
 extern void pg_bindtextdomain(const char *domain);
-extern bool is_authenticated_user_replication_role(void);
+extern bool has_rolreplication(Oid roleid);
 
 /* in access/transam/xlog.c */
 extern bool BackupInProgress(void);