pgsql: Shore up ADMIN OPTION restrictions.
| От | Noah Misch |
|---|---|
| Тема | pgsql: Shore up ADMIN OPTION restrictions. |
| Дата | |
| Msg-id | E1WFPlR-0000fe-Jm@gemulon.postgresql.org обсуждение исходный текст |
| Список | pgsql-committers |
Shore up ADMIN OPTION restrictions. Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role. Issuing SET ROLE before the GRANT bypassed that, because the role itself had an implicit right to add or remove members. Plug that hole by recognizing that implicit right only when the session user matches the current role. Additionally, do not recognize it during a security-restricted operation or during execution of a SECURITY DEFINER function. The restriction on SECURITY DEFINER is not security-critical. However, it seems best for a user testing his own SECURITY DEFINER function to see the same behavior others will see. Back-patch to 8.4 (all supported versions). The SQL standards do not conflate roles and users as PostgreSQL does; only SQL roles have members, and only SQL users initiate sessions. An application using PostgreSQL users and roles as SQL users and roles will never attempt to grant membership in the role that is the session user, so the implicit right to add or remove members will never arise. The security impact was mostly that a role member could revoke access from others, contrary to the wishes of his own grantor. Unapproved role member additions are less notable, because the member can still largely achieve that by creating a view or a SECURITY DEFINER function. Reviewed by Andres Freund and Tom Lane. Reported, independently, by Jonas Sundman and Noah Misch. Security: CVE-2014-0060 Branch ------ REL9_3_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/475a1fbc41a120ea3bd5f903e37c48d7a1769ff8 Modified Files -------------- doc/src/sgml/ref/grant.sgml | 12 ++++--- src/backend/commands/user.c | 11 ++++++- src/backend/utils/adt/acl.c | 50 ++++++++++++++++++++++++------ src/test/regress/expected/privileges.out | 36 ++++++++++++++++++++- src/test/regress/sql/privileges.sql | 29 ++++++++++++++++- 5 files changed, 120 insertions(+), 18 deletions(-)
В списке pgsql-committers по дате отправления: