On Sat, Jul 8, 2023 at 6:09 PM Nathan Bossart <nathandboss...@gmail.com> wrote:
>> I think the issue here is that if a session loses the ability to set >> their session authorization in the middle of a transaction, then >> rolling back the transaction may fail and cause the server to panic. >> That's probably what the deleted comment mean when it said: >> >>> * It's OK because the check does not require catalog access and can't >>> * fail during an end-of-transaction GUC reversion > > Yeah. IIUC the ERROR longjmps to a block that calls AbortTransaction(), > which ERRORs again when resetting the session authorization, which causes > us to call AbortTransaction() again, etc., etc. Everything seems to work fine if the privilege check is moved to check_session_authorization. Which is maybe what the comment meant instead of assign_session_authorization. I've attached a patch with this change. Thanks, Joe Koshakow
From cb0198524d96068079e301a6785301440f3be3aa Mon Sep 17 00:00:00 2001 From: Joseph Koshakow <kosh...@gmail.com> Date: Thu, 15 Jun 2023 14:53:11 -0400 Subject: [PATCH] Prevent non-superusers from altering session auth Previously, if a user connected with as a role that had the superuser attribute, then they could always execute a SET SESSION AUTHORIZATION statement for the duration of their session. Even if the role was altered to set superuser to false, the user was still allowed to execute SET SESSION AUTHORIZATION. This allowed them to set their session role to some other superuser and effectively regain the superuser privileges. They could even reset their own superuser attribute to true. This commit alters the privilege checks for SET SESSION AUTHORIZATION such that a user can only execute it if the role they connected with is currently a superuser. This prevents users from regaining superuser privileges after it has been revoked. --- doc/src/sgml/ref/set_session_auth.sgml | 2 +- src/backend/commands/variable.c | 13 +++++++++++- src/backend/utils/init/miscinit.c | 28 ++++++-------------------- 3 files changed, 19 insertions(+), 24 deletions(-) diff --git a/doc/src/sgml/ref/set_session_auth.sgml b/doc/src/sgml/ref/set_session_auth.sgml index f8fcafc194..94adab2468 100644 --- a/doc/src/sgml/ref/set_session_auth.sgml +++ b/doc/src/sgml/ref/set_session_auth.sgml @@ -51,7 +51,7 @@ RESET SESSION AUTHORIZATION <para> The session user identifier can be changed only if the initial session - user (the <firstterm>authenticated user</firstterm>) had the + user (the <firstterm>authenticated user</firstterm>) has the superuser privilege. Otherwise, the command is accepted only if it specifies the authenticated user name. </para> diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c index f0f2e07655..e2f47eceb7 100644 --- a/src/backend/commands/variable.c +++ b/src/backend/commands/variable.c @@ -803,7 +803,8 @@ check_session_authorization(char **newval, void **extra, GucSource source) { HeapTuple roleTup; Form_pg_authid roleform; - Oid roleid; + Oid roleid, + authenticated_user_id; bool is_superuser; role_auth_extra *myextra; @@ -846,6 +847,16 @@ check_session_authorization(char **newval, void **extra, GucSource source) ReleaseSysCache(roleTup); + authenticated_user_id = GetAuthenticatedUserId(); + /* Must have authenticated already, else can't make permission check */ + Assert(OidIsValid(authenticated_user_id)); + + if (roleid != authenticated_user_id && + !superuser_arg(authenticated_user_id)) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("permission denied to set session authorization"))); + /* Set up "extra" struct for assign_session_authorization to use */ myextra = (role_auth_extra *) guc_malloc(LOG, sizeof(role_auth_extra)); if (!myextra) diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c index a604432126..04e019df20 100644 --- a/src/backend/utils/init/miscinit.c +++ b/src/backend/utils/init/miscinit.c @@ -467,7 +467,7 @@ ChangeToDataDir(void) * AuthenticatedUserId is determined at connection start and never changes. * * SessionUserId is initially the same as AuthenticatedUserId, but can be - * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserIsSuperuser). + * changed by SET SESSION AUTHORIZATION (if AuthenticatedUserId is a superuser). * This is the ID reported by the SESSION_USER SQL function. * * OuterUserId is the current user ID in effect at the "outer level" (outside @@ -492,8 +492,6 @@ static Oid OuterUserId = InvalidOid; static Oid CurrentUserId = InvalidOid; static const char *SystemUser = NULL; -/* We also have to remember the superuser state of some of these levels */ -static bool AuthenticatedUserIsSuperuser = false; static bool SessionUserIsSuperuser = false; static int SecurityRestrictionContext = 0; @@ -731,6 +729,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid) HeapTuple roleTup; Form_pg_authid rform; char *rname; + bool is_superuser; /* * Don't do scans if we're bootstrapping, none of the system catalogs @@ -770,10 +769,10 @@ InitializeSessionUserId(const char *rolename, Oid roleid) rname = NameStr(rform->rolname); AuthenticatedUserId = roleid; - AuthenticatedUserIsSuperuser = rform->rolsuper; + is_superuser = rform->rolsuper; /* This sets OuterUserId/CurrentUserId too */ - SetSessionUserId(roleid, AuthenticatedUserIsSuperuser); + SetSessionUserId(roleid, is_superuser); /* Also mark our PGPROC entry with the authenticated user id */ /* (We assume this is an atomic store so no lock is needed) */ @@ -806,7 +805,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid) * just document that the connection limit is approximate. */ if (rform->rolconnlimit >= 0 && - !AuthenticatedUserIsSuperuser && + !is_superuser && CountUserBackends(roleid) > rform->rolconnlimit) ereport(FATAL, (errcode(ERRCODE_TOO_MANY_CONNECTIONS), @@ -818,7 +817,7 @@ InitializeSessionUserId(const char *rolename, Oid roleid) SetConfigOption("session_authorization", rname, PGC_BACKEND, PGC_S_OVERRIDE); SetConfigOption("is_superuser", - AuthenticatedUserIsSuperuser ? "on" : "off", + is_superuser ? "on" : "off", PGC_INTERNAL, PGC_S_DYNAMIC_DEFAULT); ReleaseSysCache(roleTup); @@ -841,7 +840,6 @@ InitializeSessionUserIdStandalone(void) Assert(!OidIsValid(AuthenticatedUserId)); AuthenticatedUserId = BOOTSTRAP_SUPERUSERID; - AuthenticatedUserIsSuperuser = true; SetSessionUserId(BOOTSTRAP_SUPERUSERID, true); } @@ -893,24 +891,10 @@ system_user(PG_FUNCTION_ARGS) * that in case of multiple SETs in a single session, the original userid's * superuserness is what matters. But we set the GUC variable is_superuser * to indicate whether the *current* session userid is a superuser. - * - * Note: this is not an especially clean place to do the permission check. - * It's OK because the check does not require catalog access and can't - * fail during an end-of-transaction GUC reversion, but we may someday - * have to push it up into assign_session_authorization. */ void SetSessionAuthorization(Oid userid, bool is_superuser) { - /* Must have authenticated already, else can't make permission check */ - Assert(OidIsValid(AuthenticatedUserId)); - - if (userid != AuthenticatedUserId && - !AuthenticatedUserIsSuperuser) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("permission denied to set session authorization"))); - SetSessionUserId(userid, is_superuser); SetConfigOption("is_superuser", -- 2.34.1