Make REPLICATION privilege checks test current user not authenticated user.

The pg_start_backup() and pg_stop_backup() functions checked the privileges
of the initially-authenticated user rather than the current user, which is
wrong.  For example, a user-defined index function could successfully call
these functions when executed by ANALYZE within autovacuum.  This could
allow an attacker with valid but low-privilege database access to interfere
with creation of routine backups.  Reported and fixed by Noah Misch.

Security: CVE-2013-1901

diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 07c68adf0bcda74ddd6ae102e6da281733d792e7..3227d4c6006868087d6a6332a40954048833fb51 100644 (file)
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -8367,7 +8367,7 @@ do_pg_start_backup(const char *backupidstr, bool fast, TimeLineID *starttli_p,
 
        backup_started_in_recovery = RecoveryInProgress();
 
-       if (!superuser() && !is_authenticated_user_replication_role())
+       if (!superuser() && !has_rolreplication(GetUserId()))
                ereport(ERROR,
                                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                   errmsg("must be superuser or replication role to run a backup")));
@@ -8705,7 +8705,7 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive, TimeLineID *stoptli_p)
 
        backup_started_in_recovery = RecoveryInProgress();
 
-       if (!superuser() && !is_authenticated_user_replication_role())
+       if (!superuser() && !has_rolreplication(GetUserId()))
                ereport(ERROR,
                                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                 (errmsg("must be superuser or replication role to run a backup"))));

diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c
index 24ca97d55c73ab5072de0bc29d629fce2145c769..493e91ca6106935a3661d08fa39c8655a78be6de 100644 (file)
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -390,15 +390,15 @@ SetUserIdAndContext(Oid userid, bool sec_def_context)
 
 
 /*
- * Check if the authenticated user is a replication role
+ * Check whether specified role has explicit REPLICATION privilege
  */
 bool
-is_authenticated_user_replication_role(void)
+has_rolreplication(Oid roleid)
 {
        bool            result = false;
        HeapTuple       utup;
 
-       utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(AuthenticatedUserId));
+       utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
        if (HeapTupleIsValid(utup))
        {
                result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;

diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 5f8f98b5e03ebeb47f337d5fadfb6efdd883abf3..da3127ea9c90045bbf3c0902cbce1f24da1437fc 100644 (file)
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -726,7 +726,7 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
        {
                Assert(!bootstrap);
 
-               if (!superuser() && !is_authenticated_user_replication_role())
+               if (!superuser() && !has_rolreplication(GetUserId()))
                        ereport(FATAL,
                                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                                         errmsg("must be superuser or replication role to start walsender")));

diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index 99858a765f1a0e18ff32c973eccb04ba196a7dc5..b69ffe59cd15405e6606a4fce0e05e576df2b7f4 100644 (file)
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -439,7 +439,7 @@ extern void ValidatePgVersion(const char *path);
 extern void process_shared_preload_libraries(void);
 extern void process_local_preload_libraries(void);
 extern void pg_bindtextdomain(const char *domain);
-extern bool is_authenticated_user_replication_role(void);
+extern bool has_rolreplication(Oid roleid);
 
 /* in access/transam/xlog.c */
 extern bool BackupInProgress(void);