mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-03-07 19:47:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Parallel workers use AuthenticatedUserId for connection privilege checks.

Browse Source 
Commit 5a2fed911 had an unexpected side-effect: the parallel worker
launched for the new test case would fail if it couldn't use a
superuser-reserved connection slot.  The reason that test failed
while all our pre-existing ones worked is that the connection
privilege tests in InitPostgres had been based on the superuserness
of the leader's AuthenticatedUserId, but after the rearrangements
of 5a2fed911 we were testing the superuserness of CurrentUserId,
which the new test case deliberately made to be a non-superuser.

This all seems very accidental and probably not the behavior we really
want, but a security patch is no time to be redesigning things.
Pending some discussion about desirable semantics, hack it so that
InitPostgres continues to pay attention to the superuserness of
AuthenticatedUserId when starting a parallel worker.

Nathan Bossart and Tom Lane, per buildfarm member sawshark.

Security: CVE-2024-10978
This commit is contained in:
Tom Lane 2024-11-11 17:05:53 -05:00
parent 64df887009
commit 95f5a52372
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/backend/utils/init/postinit.c
View File

@ -22,6 +22,7 @@
#include "access/genam.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/parallel.h"
#include "access/session.h"
#include "access/sysattr.h"
#include "access/tableam.h"
@ -902,7 +903,23 @@ InitPostgres(const char *in_dbname, Oid dboid,
else
{
InitializeSessionUserId(username, useroid);
am_superuser = superuser();
/*
* In a parallel worker, set am_superuser based on the
* authenticated user ID, not the current role. This is pretty
* dubious but it matches our historical behavior. Note that this
* value of am_superuser is used only for connection-privilege
* checks here and in CheckMyDatabase (we won't reach
* process_startup_options in a background worker).
*
* In other cases, there's been no opportunity for the current
* role to diverge from the authenticated user ID yet, so we can
* just rely on superuser() and avoid an extra catalog lookup.
*/
if (InitializingParallelWorker)
am_superuser = superuser_arg(GetAuthenticatedUserId());
else
am_superuser = superuser();
}
}
else