Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit d92583f

Browse files
jconwayjconway
committed
Restrict non-superusers to password authenticated connections
to prevent possible escalation of privilege. Provide new SECURITY DEFINER functions with old behavior, but initially REVOKE ALL from public for these functions. Per list discussion and design proposed by Tom Lane. A different approach will be used for back-branches, committed separately.
1 parent 51bc3df commit d92583f

File tree

3 files changed

+83
-2
lines changed

3 files changed

+83
-2
lines changed

contrib/dblink/dblink.c

+18-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
* Darko Prenosil <Darko.Prenosil@finteh.hr>
99
* Shridhar Daithankar <shridhar_daithankar@persistent.co.in>
1010
*
11-
* $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.63 2007/04/06 04:21:41 tgl Exp $
11+
* $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.64 2007/07/08 17:12:38 joe Exp $
1212
* Copyright (c) 2001-2007, PostgreSQL Global Development Group
1313
* ALL RIGHTS RESERVED;
1414
*
@@ -37,6 +37,7 @@
3737
#include "libpq-fe.h"
3838
#include "fmgr.h"
3939
#include "funcapi.h"
40+
#include "miscadmin.h"
4041
#include "access/heapam.h"
4142
#include "access/tupdesc.h"
4243
#include "catalog/namespace.h"
@@ -245,6 +246,22 @@ dblink_connect(PG_FUNCTION_ARGS)
245246
errdetail("%s", msg)));
246247
}
247248

249+
if (!superuser())
250+
{
251+
if (!PQconnectionUsedPassword(conn))
252+
{
253+
PQfinish(conn);
254+
if (rconn)
255+
pfree(rconn);
256+
257+
ereport(ERROR,
258+
(errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED),
259+
errmsg("password is required"),
260+
errdetail("Non-superuser cannot connect if the server does not request a password."),
261+
errhint("Target server's authentication method must be changed.")));
262+
}
263+
}
264+
248265
if (connname)
249266
{
250267
rconn->conn = conn;

contrib/dblink/dblink.sql.in

+18
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
-- dblink_connect now restricts non-superusers to password
2+
-- authenticated connections
13
CREATE OR REPLACE FUNCTION dblink_connect (text)
24
RETURNS text
35
AS 'MODULE_PATHNAME','dblink_connect'
@@ -8,6 +10,22 @@ RETURNS text
810
AS 'MODULE_PATHNAME','dblink_connect'
911
LANGUAGE C STRICT;
1012

13+
-- dblink_connect_u allows non-superusers to use
14+
-- non-password authenticated connections, but initially
15+
-- privileges are revoked from public
16+
CREATE OR REPLACE FUNCTION dblink_connect_u (text)
17+
RETURNS text
18+
AS 'MODULE_PATHNAME','dblink_connect'
19+
LANGUAGE C STRICT SECURITY DEFINER;
20+
21+
CREATE OR REPLACE FUNCTION dblink_connect_u (text, text)
22+
RETURNS text
23+
AS 'MODULE_PATHNAME','dblink_connect'
24+
LANGUAGE C STRICT SECURITY DEFINER;
25+
26+
REVOKE ALL ON FUNCTION dblink_connect_u (text) FROM public;
27+
REVOKE ALL ON FUNCTION dblink_connect_u (text, text) FROM public;
28+
1129
CREATE OR REPLACE FUNCTION dblink_disconnect ()
1230
RETURNS text
1331
AS 'MODULE_PATHNAME','dblink_disconnect'

contrib/dblink/doc/connection

+47-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.4 2006/03/11 04:38:29 momjian Exp $
1+
$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.5 2007/07/08 17:12:38 joe Exp $
22
==================================================================
33
Name
44

@@ -27,6 +27,12 @@ Outputs
2727

2828
Returns status = "OK"
2929

30+
Notes
31+
32+
Only superusers may use dblink_connect to create non-password
33+
authenticated connections. If non-superusers need this capability,
34+
use dblink_connect_u instead.
35+
3036
Example usage
3137

3238
select dblink_connect('dbname=postgres');
@@ -41,6 +47,46 @@ select dblink_connect('myconn','dbname=postgres');
4147
OK
4248
(1 row)
4349

50+
==================================================================
51+
Name
52+
53+
dblink_connect_u -- Opens a persistent connection to a remote database
54+
55+
Synopsis
56+
57+
dblink_connect_u(text connstr)
58+
dblink_connect_u(text connname, text connstr)
59+
60+
Inputs
61+
62+
connname
63+
if 2 arguments are given, the first is used as a name for a persistent
64+
connection
65+
66+
connstr
67+
68+
standard libpq format connection string,
69+
e.g. "hostaddr=127.0.0.1 port=5432 dbname=mydb user=postgres password=mypasswd"
70+
71+
if only one argument is given, the connection is unnamed; only one unnamed
72+
connection can exist at a time
73+
74+
Outputs
75+
76+
Returns status = "OK"
77+
78+
Notes
79+
80+
With dblink_connect_u, a non-superuser may connect to any database server
81+
using any authentication method. If the authentication method specified
82+
for a particular user does not require a password, impersonation and
83+
therefore escalation of privileges may occur. For this reason,
84+
dblink_connect_u is initially installed with all privileges revoked from
85+
public. Privilege to these functions should be granted with care.
86+
87+
Example usage
88+
89+
4490
==================================================================
4591
Name
4692

0 commit comments

Comments
 (0)