From e5fdb8feadd4385671bab0e2c4c57008f3ba8dda Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 1 Apr 2013 13:09:29 -0400 Subject: Make REPLICATION privilege checks test current user not authenticated user. The pg_start_backup() and pg_stop_backup() functions checked the privileges of the initially-authenticated user rather than the current user, which is wrong. For example, a user-defined index function could successfully call these functions when executed by ANALYZE within autovacuum. This could allow an attacker with valid but low-privilege database access to interfere with creation of routine backups. Reported and fixed by Noah Misch. Security: CVE-2013-1901 --- src/backend/utils/init/miscinit.c | 6 +++--- src/backend/utils/init/postinit.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/backend/utils') diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c index b28567e6521..0a40bcf5270 100644 --- a/src/backend/utils/init/miscinit.c +++ b/src/backend/utils/init/miscinit.c @@ -389,15 +389,15 @@ SetUserIdAndContext(Oid userid, bool sec_def_context) /* - * Check if the authenticated user is a replication role + * Check whether specified role has explicit REPLICATION privilege */ bool -is_authenticated_user_replication_role(void) +has_rolreplication(Oid roleid) { bool result = false; HeapTuple utup; - utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(AuthenticatedUserId)); + utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); if (HeapTupleIsValid(utup)) { result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication; diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c index ba0eba55689..3dc5331772e 100644 --- a/src/backend/utils/init/postinit.c +++ b/src/backend/utils/init/postinit.c @@ -668,7 +668,7 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username, { Assert(!bootstrap); - if (!superuser() && !is_authenticated_user_replication_role()) + if (!superuser() && !has_rolreplication(GetUserId())) ereport(FATAL, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("must be superuser or replication role to start walsender"))); -- cgit v1.2.3