summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNoah Misch2017-05-08 14:24:24 +0000
committerNoah Misch2017-05-08 14:24:28 +0000
commitb5b124046c0dc636d73c4a802bc731431dfd9dba (patch)
treeed721a6f5a65d088be156c1ec5299c002873f044
parent3eab8112754c484c192248afe64055d40a231f7b (diff)
Match pg_user_mappings limits to information_schema.user_mapping_options.
Both views replace the umoptions field with NULL when the user does not meet qualifications to see it. They used different qualifications, and pg_user_mappings documented qualifications did not match its implemented qualifications. Make its documentation and implementation match those of user_mapping_options. One might argue for stronger qualifications, but these have long, documented tenure. pg_user_mappings has always exhibited this problem, so back-patch to 9.2 (all supported versions). Michael Paquier and Feike Steenbergen. Reviewed by Jeff Janes. Reported by Andrew Wheelwright. Security: CVE-2017-7486
-rw-r--r--doc/src/sgml/catalogs.sgml7
-rw-r--r--src/backend/catalog/system_views.sql10
-rw-r--r--src/test/regress/expected/foreign_data.out54
-rw-r--r--src/test/regress/expected/rules.out4
-rw-r--r--src/test/regress/sql/foreign_data.sql15
5 files changed, 82 insertions, 8 deletions
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 518d2fa4b50..52de61c3956 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -9212,8 +9212,11 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
<entry></entry>
<entry>
User mapping specific options, as <quote>keyword=value</>
- strings, if the current user is the owner of the foreign
- server, else null
+ strings. This column will show as null unless the current user
+ is the user being mapped, or the mapping is for
+ <literal>PUBLIC</literal> and the current user is the server
+ owner, or the current user is a superuser. The intent is
+ to protect password information stored as user mapping option.
</entry>
</row>
</tbody>
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 81d7c4fec8c..699283b1328 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -696,11 +696,11 @@ CREATE VIEW pg_user_mappings AS
ELSE
A.rolname
END AS usename,
- CASE WHEN pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE') THEN
- U.umoptions
- ELSE
- NULL
- END AS umoptions
+ CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
+ OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
+ OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
+ THEN U.umoptions
+ ELSE NULL END AS umoptions
FROM pg_user_mapping U
LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
pg_foreign_server S ON (U.umserver = S.oid);
diff --git a/src/test/regress/expected/foreign_data.out b/src/test/regress/expected/foreign_data.out
index 857f1cefb2d..ebbe54989eb 100644
--- a/src/test/regress/expected/foreign_data.out
+++ b/src/test/regress/expected/foreign_data.out
@@ -1157,7 +1157,61 @@ WARNING: no privileges were granted for "s9"
CREATE USER MAPPING FOR current_user SERVER s9;
DROP SERVER s9 CASCADE; -- ERROR
ERROR: must be owner of foreign server s9
+-- Check visibility of user mapping data
+SET ROLE regress_test_role;
+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
+CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
+GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
+-- owner of server can see option fields
+\deu+
+ List of user mappings
+ Server | User name | FDW Options
+--------+-------------------+-------------------
+ s10 | public | ("user" 'secret')
+ s4 | foreign_data_user |
+ s5 | regress_test_role | (modified '1')
+ s6 | regress_test_role |
+ s8 | foreign_data_user |
+ s8 | public |
+ s9 | unprivileged_role |
+ t1 | public | (modified '1')
+(8 rows)
+
+RESET ROLE;
+-- superuser can see option fields
+\deu+
+ List of user mappings
+ Server | User name | FDW Options
+--------+-------------------+---------------------
+ s10 | public | ("user" 'secret')
+ s4 | foreign_data_user |
+ s5 | regress_test_role | (modified '1')
+ s6 | regress_test_role |
+ s8 | foreign_data_user | (password 'public')
+ s8 | public |
+ s9 | unprivileged_role |
+ t1 | public | (modified '1')
+(8 rows)
+
+-- unprivileged user cannot see option fields
+SET ROLE unprivileged_role;
+\deu+
+ List of user mappings
+ Server | User name | FDW Options
+--------+-------------------+-------------
+ s10 | public |
+ s4 | foreign_data_user |
+ s5 | regress_test_role |
+ s6 | regress_test_role |
+ s8 | foreign_data_user |
+ s8 | public |
+ s9 | unprivileged_role |
+ t1 | public |
+(8 rows)
+
RESET ROLE;
+DROP SERVER s10 CASCADE;
+NOTICE: drop cascades to user mapping for public on server s10
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR
ERROR: foreign table "no_table" does not exist
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 864e69be546..773b60d1d58 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -2026,7 +2026,9 @@ SELECT viewname, definition FROM pg_views WHERE schemaname <> 'information_schem
| ELSE a.rolname +
| END AS usename, +
| CASE +
- | WHEN (pg_has_role(s.srvowner, 'USAGE'::text) OR has_server_privilege(s.oid, 'USAGE'::text)) THEN u.umoptions +
+ | WHEN ((((u.umuser <> (0)::oid) AND (a.rolname = "current_user"())) OR ((u.umuser = (0)::oid) AND pg_has_role(s.srvowner, 'USAGE'::text))) OR ( SELECT pg_authid.rolsuper +
+ | FROM pg_authid +
+ | WHERE (pg_authid.rolname = "current_user"()))) THEN u.umoptions +
| ELSE NULL::text[] +
| END AS umoptions +
| FROM ((pg_user_mapping u +
diff --git a/src/test/regress/sql/foreign_data.sql b/src/test/regress/sql/foreign_data.sql
index 3dcbf0fbbc7..bf69cdfbc90 100644
--- a/src/test/regress/sql/foreign_data.sql
+++ b/src/test/regress/sql/foreign_data.sql
@@ -468,7 +468,22 @@ ALTER SERVER s9 VERSION '1.2'; -- ERROR
GRANT USAGE ON FOREIGN SERVER s9 TO regress_test_role; -- WARNING
CREATE USER MAPPING FOR current_user SERVER s9;
DROP SERVER s9 CASCADE; -- ERROR
+
+-- Check visibility of user mapping data
+SET ROLE regress_test_role;
+CREATE SERVER s10 FOREIGN DATA WRAPPER foo;
+CREATE USER MAPPING FOR public SERVER s10 OPTIONS (user 'secret');
+GRANT USAGE ON FOREIGN SERVER s10 TO unprivileged_role;
+-- owner of server can see option fields
+\deu+
+RESET ROLE;
+-- superuser can see option fields
+\deu+
+-- unprivileged user cannot see option fields
+SET ROLE unprivileged_role;
+\deu+
RESET ROLE;
+DROP SERVER s10 CASCADE;
-- DROP FOREIGN TABLE
DROP FOREIGN TABLE no_table; -- ERROR