From: Tom Lane Date: Mon, 1 Apr 2013 17:09:35 +0000 (-0400) Subject: Make REPLICATION privilege checks test current user not authenticated user. X-Git-Tag: REL9_1_9~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b403f4107ba74bcf29499ba3e77e0eae70e62679;p=postgresql Make REPLICATION privilege checks test current user not authenticated user. The pg_start_backup() and pg_stop_backup() functions checked the privileges of the initially-authenticated user rather than the current user, which is wrong. For example, a user-defined index function could successfully call these functions when executed by ANALYZE within autovacuum. This could allow an attacker with valid but low-privilege database access to interfere with creation of routine backups. Reported and fixed by Noah Misch. Security: CVE-2013-1901 --- diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index 859df783e6..4c96afa0f3 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -8982,7 +8982,7 @@ do_pg_start_backup(const char *backupidstr, bool fast, char **labelfile) FILE *fp; StringInfoData labelfbuf; - if (!superuser() && !is_authenticated_user_replication_role()) + if (!superuser() && !has_rolreplication(GetUserId())) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or replication role to run a backup"))); @@ -9261,7 +9261,7 @@ do_pg_stop_backup(char *labelfile, bool waitforarchive) bool reported_waiting = false; char *remaining; - if (!superuser() && !is_authenticated_user_replication_role()) + if (!superuser() && !has_rolreplication(GetUserId())) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errmsg("must be superuser or replication role to run a backup")))); diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c index f6cd0c0675..25cbf60e65 100644 --- a/src/backend/utils/init/miscinit.c +++ b/src/backend/utils/init/miscinit.c @@ -389,15 +389,15 @@ SetUserIdAndContext(Oid userid, bool sec_def_context) /* - * Check if the authenticated user is a replication role + * Check whether specified role has explicit REPLICATION privilege */ bool -is_authenticated_user_replication_role(void) +has_rolreplication(Oid roleid) { bool result = false; HeapTuple utup; - utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(AuthenticatedUserId)); + utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); if (HeapTupleIsValid(utup)) { result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication; diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index dfe338c2bf..efb48d92ec 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -669,7 +669,7 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username, Assert(!bootstrap); /* must have authenticated as a replication role */ - if (!is_authenticated_user_replication_role()) + if (!has_rolreplication(GetUserId())) ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be replication role to start walsender"))); diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h index 29363ead1a..82af9ab89f 100644 --- a/src/include/miscadmin.h +++ b/src/include/miscadmin.h @@ -395,7 +395,7 @@ extern void ValidatePgVersion(const char *path); extern void process_shared_preload_libraries(void); extern void process_local_preload_libraries(void); extern void pg_bindtextdomain(const char *domain); -extern bool is_authenticated_user_replication_role(void); +extern bool has_rolreplication(Oid roleid); /* in access/transam/xlog.c */ extern bool BackupInProgress(void);