mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2025-03-01 19:45:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Match pg_user_mappings limits to information_schema.user_mapping_options.

Browse Source 
Both views replace the umoptions field with NULL when the user does not
meet qualifications to see it.  They used different qualifications, and
pg_user_mappings documented qualifications did not match its implemented
qualifications.  Make its documentation and implementation match those
of user_mapping_options.  One might argue for stronger qualifications,
but these have long, documented tenure.  pg_user_mappings has always
exhibited this problem, so back-patch to 9.2 (all supported versions).

Michael Paquier and Feike Steenbergen.  Reviewed by Jeff Janes.
Reported by Andrew Wheelwright.

Security: CVE-2017-7486
This commit is contained in:
Noah Misch 2017-05-08 07:24:24 -07:00
parent 3eab811275
commit b5b124046c
5 changed files with 82 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/src/sgml/catalogs.sgml
View File

@ -9212,8 +9212,11 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry></entry>
<entry>
User mapping specific options, as <quote>keyword=value</>
strings, if the current user is the owner of the foreign
server, else null
strings. This column will show as null unless the current user
is the user being mapped, or the mapping is for
<literal>PUBLIC</literal> and the current user is the server
owner, or the current user is a superuser. The intent is
to protect password information stored as user mapping option.
</entry>
</row>
</tbody>

10
src/backend/catalog/system_views.sql
View File

@ -696,11 +696,11 @@ CREATE VIEW pg_user_mappings AS
ELSE
A.rolname
END AS usename,
CASE WHEN pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE') THEN
U.umoptions
ELSE
NULL
END AS umoptions
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
THEN U.umoptions
ELSE NULL END AS umoptions
FROM pg_user_mapping U
LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
pg_foreign_server S ON (U.umserver = S.oid);

54
src/test/regress/expected/foreign_data.out
View File

@ -1157,7 +1157,61 @@ WARNING: no privileges were granted for "s9"
CREATE USER MAPPING FOR current_user SERVER s9;
DROP SERVER s9 CASCADE; -- ERROR
ERROR: must be owner of foreign server s9
-- Check visibility of user mapping data
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+-------------------
s10 | public | ("user" 'secret')
s4 | foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
s8 | foreign_data_user |
s8 | public |
s9 | unprivileged_role |
t1 | public | (modified '1')
(8 rows)
RESET ROLE;
-- superuser can see option fields
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+---------------------
s10 | public | ("user" 'secret')
s4 | foreign_data_user |
s5 | regress_test_role | (modified '1')
s6 | regress_test_role |
s8 | foreign_data_user | (password 'public')
s8 | public |
s9 | unprivileged_role |
t1 | public | (modified '1')
(8 rows)
-- unprivileged user cannot see option fields
SET ROLE unprivileged_role;
\deu+
List of user mappings
Server | User name | FDW Options
--------+-------------------+-------------
s10 | public |
s4 | foreign_data_user |
s5 | regress_test_role |
s6 | regress_test_role |
s8 | foreign_data_user |
s8 | public |
s9 | unprivileged_role |
t1 | public |
(8 rows)
RESET ROLE;
DROP SERVER s10 CASCADE;
NOTICE: drop cascades to user mapping for public on server s10
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR
ERROR: foreign table "no_table" does not exist

4
src/test/regress/expected/rules.out
View File

@ -2026,7 +2026,9 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem
| ELSE a.rolname +
| END AS usename, +
| CASE +
| WHEN (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text)) THEN u.umoptions +
| WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper +
| FROM pg_authid +
| WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions +
| ELSE NULL::text[] +
| END AS umoptions +
| FROM ((pg_user_mapping u +

15
src/test/regress/sql/foreign_data.sql
View File

@ -468,7 +468,22 @@ ALTER SERVER s9 VERSION '1.2'; -- ERROR
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role; -- WARNING
CREATE USER MAPPING FOR current_user SERVER s9;
DROP SERVER s9 CASCADE; -- ERROR
-- Check visibility of user mapping data
SET ROLE regress_test_role;
CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
-- owner of server can see option fields
\deu+
RESET ROLE;
-- superuser can see option fields
\deu+
-- unprivileged user cannot see option fields
SET ROLE unprivileged_role;
\deu+
RESET ROLE;
DROP SERVER s10 CASCADE;
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR