Skip to content

Commit

Permalink
Merge pull request #18 from mble/mble-additional-hardening
Browse files Browse the repository at this point in the history
gatekeeper: disallow reading rolpassword in elevated contexts
  • Loading branch information
staaldraad authored Nov 17, 2022
2 parents 65c5076 + 7a958ed commit dc57cc0
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
.vscode/
*.o
*.so
42 changes: 42 additions & 0 deletions src/aiven_gatekeeper.c
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ static int min_reserved_oid = 9000;
static const char *reserved_col_names[] = {"proowner", "proacl", "prolang", "prosecdef"};
static const int NUM_RESERVED_COLS = sizeof reserved_col_names / sizeof reserved_col_names[0];

/* reserved columns in the pg_authid table that aren't permitted to be read */
static const char *reserved_auth_col_names[] = {"rolpassword"};
static const int NUM_RESERVED_AUTH_COLS = sizeof reserved_auth_col_names / sizeof reserved_auth_col_names[0];

/* GUC Variables */
static bool pg_security_agent_enabled = false;
static bool pg_security_agent_strict = false;
Expand Down Expand Up @@ -580,8 +584,46 @@ pg_proc_guard_checks(QueryDesc *queryDesc, int eflags)
{
switch (queryDesc->operation)
{
case CMD_SELECT:
foreach (resultRelations, queryDesc->plannedstmt->rtable)
{
rt = lfirst(resultRelations);
switch (rt->relid)
{
case 1260: // pg_authid
colset = rt->selectedCols;
index = -1;
while ((index = bms_next_member(colset, index)) >= 0)
{
AttrNumber attno = index + FirstLowInvalidHeapAttributeNumber;
char *attname;
int i;

/* get the column name, function definition changed with PG11 */
#if PG11_GTE
attname = get_attname(1260, attno, true);
#else
attname = get_attname(1260, attno);
#endif
/* check if column is reserved */
for (i = 0; i < NUM_RESERVED_AUTH_COLS; i++)
{
if (strncmp(reserved_auth_col_names[i], attname, 10) == 0 && (pg_security_agent_strict || creating_extension || is_elevated() || is_security_restricted()))
{
elog(ERROR, "Reading pg_authid sensitive columns is not allowed in elevated context");
return;
}
}
}
break;
default:
break;
}
}
break;
case CMD_INSERT:
case CMD_UPDATE:
case CMD_DELETE:
foreach (resultRelations, queryDesc->plannedstmt->rtable)
{
rt = lfirst(resultRelations);
Expand Down

0 comments on commit dc57cc0

Please sign in to comment.