diff options
| author | Robert Haas <rhaas@postgresql.org> | 2022-03-28 13:38:13 -0400 |
|---|---|---|
| committer | Robert Haas <rhaas@postgresql.org> | 2022-03-28 13:38:13 -0400 |
| commit | 79de9842ab03259325ee4055fb0a7ebd2e4372ff (patch) | |
| tree | 114ec9a3a09c07d8051c9269b83fd75be31b818c /src/backend/utils/adt/acl.c | |
| parent | 61762426e6edbe87100dd5a4f107e8c06a11ec02 (diff) | |
| download | postgresql-79de9842ab03259325ee4055fb0a7ebd2e4372ff.tar.gz postgresql-79de9842ab03259325ee4055fb0a7ebd2e4372ff.zip | |
Remove the ability of a role to administer itself.
Commit f9fd1764615ed5d85fab703b0ffb0c323fe7dfd5 effectively gave
every role ADMIN OPTION on itself. However, this appears to be
something that happened accidentally as a result of refactoring
work rather than an intentional decision. Almost a decade later,
it was discovered that this was a security vulnerability. As a
result, commit fea164a72a7bfd50d77ba5fb418d357f8f2bb7d0 restricted
this implicit ADMIN OPTION privilege to be exercisable only when
the role being administered is the same as the session user and
when no security-restricted operation is in progress. That
commit also documented the existence of this implicit privilege
for what seems to be the first time.
The effect of the privilege is to allow a login role to grant
the privileges of that role, and optionally ADMIN OPTION on it,
to some other role. That's an unusual thing to do, because generally
membership is granted in roles used as groups, rather than roles
used as users. Therefore, it does not seem likely that removing
the privilege will break things for many PostgreSQL users.
However, it will make it easier to reason about the permissions
system. This is the only case where a user who has not been given any
special permission (superuser, or ADMIN OPTION on some role) can
modify role membership, so removing it makes things more consistent.
For example, if a superuser sets up role A and B and grants A to B
but no other privileges to anyone, she can now be sure that no one
else will be able to revoke that grant. Without this change, that
would have been true only if A was a non-login role.
Patch by me. Reviewed by Tom Lane and Stephen Frost.
Discussion: http://postgr.es/m/CA+Tgmoawdt03kbA+dNyBcNWJpRxu0f4X=69Y3+DkXXZqmwMDLg@mail.gmail.com
Diffstat (limited to 'src/backend/utils/adt/acl.c')
| -rw-r--r-- | src/backend/utils/adt/acl.c | 38 |
1 files changed, 2 insertions, 36 deletions
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index 0a16f8156cb..5d939de3da7 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -4619,11 +4619,6 @@ pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode) { if (mode & ACL_GRANT_OPTION_FOR(ACL_CREATE)) { - /* - * XXX For roleid == role_oid, is_admin_of_role() also examines the - * session and call stack. That suits two-argument pg_has_role(), but - * it gives the three-argument version a lamentable whimsy. - */ if (is_admin_of_role(roleid, role_oid)) return ACLCHECK_OK; } @@ -4935,38 +4930,9 @@ is_admin_of_role(Oid member, Oid role) if (superuser_arg(member)) return true; + /* By policy, a role cannot have WITH ADMIN OPTION on itself. */ if (member == role) - - /* - * A role can admin itself when it matches the session user and we're - * outside any security-restricted operation, SECURITY DEFINER or - * similar context. SQL-standard roles cannot self-admin. However, - * SQL-standard users are distinct from roles, and they are not - * grantable like roles: PostgreSQL's role-user duality extends the - * standard. Checking for a session user match has the effect of - * letting a role self-admin only when it's conspicuously behaving - * like a user. Note that allowing self-admin under a mere SET ROLE - * would make WITH ADMIN OPTION largely irrelevant; any member could - * SET ROLE to issue the otherwise-forbidden command. - * - * Withholding self-admin in a security-restricted operation prevents - * object owners from harnessing the session user identity during - * administrative maintenance. Suppose Alice owns a database, has - * issued "GRANT alice TO bob", and runs a daily ANALYZE. Bob creates - * an alice-owned SECURITY DEFINER function that issues "REVOKE alice - * FROM carol". If he creates an expression index calling that - * function, Alice will attempt the REVOKE during each ANALYZE. - * Checking InSecurityRestrictedOperation() thwarts that attack. - * - * Withholding self-admin in SECURITY DEFINER functions makes their - * behavior independent of the calling user. There's no security or - * SQL-standard-conformance need for that restriction, though. - * - * A role cannot have actual WITH ADMIN OPTION on itself, because that - * would imply a membership loop. Therefore, we're done either way. - */ - return member == GetSessionUserId() && - !InLocalUserIdChange() && !InSecurityRestrictedOperation(); + return false; (void) roles_is_member_of(member, ROLERECURSE_MEMBERS, role, &result); return result; |