diff options
author | Noah Misch <noah@leadboat.com> | 2017-05-08 07:24:24 -0700 |
---|---|---|
committer | Noah Misch <noah@leadboat.com> | 2017-05-08 07:24:27 -0700 |
commit | db2158108674812abe883f7e0bd14eb2024ea8f3 (patch) | |
tree | 5737d3a4176a7ca93757962b29075c0e331fade0 | |
parent | 96d7454920e28447a1127497bba624cdf0f315c1 (diff) | |
download | postgresql-db2158108674812abe883f7e0bd14eb2024ea8f3.tar.gz |
Match pg_user_mappings limits to information_schema.user_mapping_options.
Both views replace the umoptions field with NULL when the user does not
meet qualifications to see it. They used different qualifications, and
pg_user_mappings documented qualifications did not match its implemented
qualifications. Make its documentation and implementation match those
of user_mapping_options. One might argue for stronger qualifications,
but these have long, documented tenure. pg_user_mappings has always
exhibited this problem, so back-patch to 9.2 (all supported versions).
Michael Paquier and Feike Steenbergen. Reviewed by Jeff Janes.
Reported by Andrew Wheelwright.
Security: CVE-2017-7486
-rw-r--r-- | doc/src/sgml/catalogs.sgml | 7 | ||||
-rw-r--r-- | src/backend/catalog/system_views.sql | 10 | ||||
-rw-r--r-- | src/test/regress/expected/foreign_data.out | 54 | ||||
-rw-r--r-- | src/test/regress/expected/rules.out | 4 | ||||
-rw-r--r-- | src/test/regress/sql/foreign_data.sql | 15 |
5 files changed, 82 insertions, 8 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml index ba2e4463ea..23cb262753 100644 --- a/doc/src/sgml/catalogs.sgml +++ b/doc/src/sgml/catalogs.sgml @@ -9990,8 +9990,11 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx <entry></entry> <entry> User mapping specific options, as <quote>keyword=value</> - strings, if the current user is the owner of the foreign - server, else null + strings. This column will show as null unless the current user + is the user being mapped, or the mapping is for + <literal>PUBLIC</literal> and the current user is the server + owner, or the current user is a superuser. The intent is + to protect password information stored as user mapping option. </entry> </row> </tbody> diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql index c0bd6fa96b..9f59f9d17b 100644 --- a/src/backend/catalog/system_views.sql +++ b/src/backend/catalog/system_views.sql @@ -775,11 +775,11 @@ CREATE VIEW pg_user_mappings AS ELSE A.rolname END AS usename, - CASE WHEN pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE') THEN - U.umoptions - ELSE - NULL - END AS umoptions + CASE WHEN (U.umuser <> 0 AND A.rolname = current_user) + OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) + OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) + THEN U.umoptions + ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid); diff --git a/src/test/regress/expected/foreign_data.out b/src/test/regress/expected/foreign_data.out index 660840cd90..03d11d908a 100644 --- a/src/test/regress/expected/foreign_data.out +++ b/src/test/regress/expected/foreign_data.out @@ -1194,7 +1194,61 @@ WARNING: no privileges were granted for "s9" CREATE USER MAPPING FOR current_user SERVER s9; DROP SERVER s9 CASCADE; -- ERROR ERROR: must be owner of foreign server s9 +-- Check visibility of user mapping data +SET ROLE regress_test_role; +CREATE SERVER s10 FOREIGN DATA WRAPPER foo; +CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret'); +GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role; +-- owner of server can see option fields +\deu+ + List of user mappings + Server | User name | FDW Options +--------+-------------------+------------------- + s10 | public | ("user" 'secret') + s4 | foreign_data_user | + s5 | regress_test_role | (modified '1') + s6 | regress_test_role | + s8 | foreign_data_user | + s8 | public | + s9 | unprivileged_role | + t1 | public | (modified '1') +(8 rows) + +RESET ROLE; +-- superuser can see option fields +\deu+ + List of user mappings + Server | User name | FDW Options +--------+-------------------+--------------------- + s10 | public | ("user" 'secret') + s4 | foreign_data_user | + s5 | regress_test_role | (modified '1') + s6 | regress_test_role | + s8 | foreign_data_user | (password 'public') + s8 | public | + s9 | unprivileged_role | + t1 | public | (modified '1') +(8 rows) + +-- unprivileged user cannot see option fields +SET ROLE unprivileged_role; +\deu+ + List of user mappings + Server | User name | FDW Options +--------+-------------------+------------- + s10 | public | + s4 | foreign_data_user | + s5 | regress_test_role | + s6 | regress_test_role | + s8 | foreign_data_user | + s8 | public | + s9 | unprivileged_role | + t1 | public | +(8 rows) + RESET ROLE; +DROP SERVER s10 CASCADE; +NOTICE: drop cascades to user mapping for public on server s10 -- Triggers CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$ BEGIN diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out index 899ab445db..e5bd422a30 100644 --- a/src/test/regress/expected/rules.out +++ b/src/test/regress/expected/rules.out @@ -2102,7 +2102,9 @@ pg_user_mappings| SELECT u.oid AS umid, ELSE a.rolname END AS usename, CASE - WHEN (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text)) THEN u.umoptions + WHEN (((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text)) OR ( SELECT pg_authid.rolsuper + FROM pg_authid + WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions ELSE NULL::text[] END AS umoptions FROM ((pg_user_mapping u diff --git a/src/test/regress/sql/foreign_data.sql b/src/test/regress/sql/foreign_data.sql index 384e155fcb..b78ae2d040 100644 --- a/src/test/regress/sql/foreign_data.sql +++ b/src/test/regress/sql/foreign_data.sql @@ -490,7 +490,22 @@ ALTER SERVER s9 VERSION '1.2'; -- ERROR GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role; -- WARNING CREATE USER MAPPING FOR current_user SERVER s9; DROP SERVER s9 CASCADE; -- ERROR + +-- Check visibility of user mapping data +SET ROLE regress_test_role; +CREATE SERVER s10 FOREIGN DATA WRAPPER foo; +CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret'); +GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role; +-- owner of server can see option fields +\deu+ +RESET ROLE; +-- superuser can see option fields +\deu+ +-- unprivileged user cannot see option fields +SET ROLE unprivileged_role; +\deu+ RESET ROLE; +DROP SERVER s10 CASCADE; -- Triggers CREATE FUNCTION dummy_trigger() RETURNS TRIGGER AS $$ |