Restrict non-superusers to password authenticated connections

to prevent possible escalation of privilege. Provide new SECURITY
DEFINER functions with old behavior, but initially REVOKE ALL
from public for these functions. Per list discussion and design
proposed by Tom Lane. A different approach will be used for
back-branches, committed separately.
This commit is contained in:
Joe Conway 2007-07-08 17:12:38 +00:00
parent 51bc3dfe4b
commit d92583f88e
3 changed files with 83 additions and 2 deletions

View File

@ -8,7 +8,7 @@
* Darko Prenosil <Darko.Prenosil@finteh.hr>
* Shridhar Daithankar <shridhar_daithankar@persistent.co.in>
*
* $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.63 2007/04/06 04:21:41 tgl Exp $
* $PostgreSQL: pgsql/contrib/dblink/dblink.c,v 1.64 2007/07/08 17:12:38 joe Exp $
* Copyright (c) 2001-2007, PostgreSQL Global Development Group
* ALL RIGHTS RESERVED;
*
@ -37,6 +37,7 @@
#include "libpq-fe.h"
#include "fmgr.h"
#include "funcapi.h"
#include "miscadmin.h"
#include "access/heapam.h"
#include "access/tupdesc.h"
#include "catalog/namespace.h"
@ -245,6 +246,22 @@ dblink_connect(PG_FUNCTION_ARGS)
errdetail("%s", msg)));
}
if (!superuser())
{
if (!PQconnectionUsedPassword(conn))
{
PQfinish(conn);
if (rconn)
pfree(rconn);
ereport(ERROR,
(errcode(ERRCODE_S_R_E_PROHIBITED_SQL_STATEMENT_ATTEMPTED),
errmsg("password is required"),
errdetail("Non-superuser cannot connect if the server does not request a password."),
errhint("Target server's authentication method must be changed.")));
}
}
if (connname)
{
rconn->conn = conn;

View File

@ -1,3 +1,5 @@
-- dblink_connect now restricts non-superusers to password
-- authenticated connections
CREATE OR REPLACE FUNCTION dblink_connect (text)
RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
@ -8,6 +10,22 @@ RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
LANGUAGE C STRICT;
-- dblink_connect_u allows non-superusers to use
-- non-password authenticated connections, but initially
-- privileges are revoked from public
CREATE OR REPLACE FUNCTION dblink_connect_u (text)
RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
LANGUAGE C STRICT SECURITY DEFINER;
CREATE OR REPLACE FUNCTION dblink_connect_u (text, text)
RETURNS text
AS 'MODULE_PATHNAME','dblink_connect'
LANGUAGE C STRICT SECURITY DEFINER;
REVOKE ALL ON FUNCTION dblink_connect_u (text) FROM public;
REVOKE ALL ON FUNCTION dblink_connect_u (text, text) FROM public;
CREATE OR REPLACE FUNCTION dblink_disconnect ()
RETURNS text
AS 'MODULE_PATHNAME','dblink_disconnect'

View File

@ -1,4 +1,4 @@
$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.4 2006/03/11 04:38:29 momjian Exp $
$PostgreSQL: pgsql/contrib/dblink/doc/connection,v 1.5 2007/07/08 17:12:38 joe Exp $
==================================================================
Name
@ -27,6 +27,12 @@ Outputs
Returns status = "OK"
Notes
Only superusers may use dblink_connect to create non-password
authenticated connections. If non-superusers need this capability,
use dblink_connect_u instead.
Example usage
select dblink_connect('dbname=postgres');
@ -41,6 +47,46 @@ select dblink_connect('myconn','dbname=postgres');
OK
(1 row)
==================================================================
Name
dblink_connect_u -- Opens a persistent connection to a remote database
Synopsis
dblink_connect_u(text connstr)
dblink_connect_u(text connname, text connstr)
Inputs
connname
if 2 arguments are given, the first is used as a name for a persistent
connection
connstr
standard libpq format connection string,
e.g. "hostaddr=127.0.0.1 port=5432 dbname=mydb user=postgres password=mypasswd"
if only one argument is given, the connection is unnamed; only one unnamed
connection can exist at a time
Outputs
Returns status = "OK"
Notes
With dblink_connect_u, a non-superuser may connect to any database server
using any authentication method. If the authentication method specified
for a particular user does not require a password, impersonation and
therefore escalation of privileges may occur. For this reason,
dblink_connect_u is initially installed with all privileges revoked from
public. Privilege to these functions should be granted with care.
Example usage
==================================================================
Name