Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qIEn7-0005hk-0F for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jul 2023 20:44:29 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1qIEn4-0008Nh-LW for pgsql-hackers@arkaria.postgresql.org; Sat, 08 Jul 2023 20:44:26 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qIEn4-0008NY-5Z for pgsql-hackers@lists.postgresql.org; Sat, 08 Jul 2023 20:44:26 +0000 Received: from mail-oo1-xc33.google.com ([2607:f8b0:4864:20::c33]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qIEmx-002ljM-8K for pgsql-hackers@lists.postgresql.org; Sat, 08 Jul 2023 20:44:24 +0000 Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-56661fe27cbso2318433eaf.3 for ; Sat, 08 Jul 2023 13:44:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688849058; x=1691441058; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/2RNEaE/4oP+7J+HdVPOh//UVhn7h1RedM4NvKWsCro=; b=MkXP+zC3gm8CASaQtqOkWHm96plfUDJw2eS87REoZar6TW8RSzd6Pu41slcwXFdn0u o2IR2N9vV10s8iOGoEL6/wU8TsHlWiOCzRHG71HoyWQ+H1xD278sIhAG2k8Ncdece2bI MqTjCzTCN7GkAw6dge6fMoFg4pKWsu+i0QqLWNEgCVeTYkpp9CTSEEmkGhAClPt/5j9D hK8A4vNeBmDKSxhMVeOcWTa2IXWAjNuYCf87aBcAdbQh0rEiveNpSwTMCVJkexdXdjkD TZBMc9jbBEKrm8yjLLfWwGxz/Da2HRHJ0RjhpBH8F1jsH8VvSo/Rpd40zFX7FFd1vbgP WFYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688849058; x=1691441058; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/2RNEaE/4oP+7J+HdVPOh//UVhn7h1RedM4NvKWsCro=; b=dgLxT7db5OvTV7uzPOo8BwtPCB3OinNBDZjA6ea8WeDrWfCJ0xF+CsYZK7f+yH4Pe6 Mz4GBXSW1eTEuwUShLOEUVpcPruBI6ASjq6UKCdzx41CppVMRiJOLci9zYCyP1mq5txL 6EzZ+6UwZaZ/06t15E5zrITwXS8o879wnMlNRqskMIw+DlA37qMJySXTVo4wtgM9S0Bq j1c6Rb4VPrn8U3HApcJGkofwIDAvYu/WAbWszgsUYqoPmqdLb8VHJHFuWtNPqNgkr+Cg 8ViyZEeESagm97Rb4FMddwfmhuTV3De4qxGrk66+99xOpD+WO9cwCIFk373v6Ntbw8Yl PB6g== X-Gm-Message-State: ABy/qLZFf0mF75IyKGEPO1+nL6jJmrsixSddJ8RPWyd2T/TWH9NVR/Jh fl2Zk3mNW5JrhgOzdvgWaTX2t7g7zeRAEnGVB/Ccx2hJ7icUNsU= X-Google-Smtp-Source: APBJJlFM1PEhsxoCObDO8cHP6HS52aKb61+vwynF3n4QKgvs/FpPOLEGX2Lr3Pcwk91KNZU3SbAQriKTtj2ROr7YDig= X-Received: by 2002:a4a:2c94:0:b0:563:52c2:17db with SMTP id o142-20020a4a2c94000000b0056352c217dbmr6067395ooo.8.1688849057939; Sat, 08 Jul 2023 13:44:17 -0700 (PDT) MIME-Version: 1.0 References: <20230622034818.GA1077640@nathanxps13> <20230623175416.GA1268820@nathanxps13> In-Reply-To: From: Joseph Koshakow Date: Sat, 8 Jul 2023 16:44:06 -0400 Message-ID: Subject: Re: Preventing non-superusers from altering session authorization To: Nathan Bossart Cc: PostgreSQL Hackers Content-Type: multipart/alternative; boundary="0000000000002d85d505ffffd071" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000002d85d505ffffd071 Content-Type: text/plain; charset="UTF-8" I've discovered an issue with this approach. Let's say you have some session open that is connected as a superuser and you run the following commands: - CREATE ROLE r1 LOGIN SUPERUSER; - CREATE ROLE r2; - CREATE ROLE r3; Then you open another session connected with user r1 and run the following commands: - SET SESSION AUTHROIZATION r2; - BEGIN; - SET SESSION AUTHORIZATION r3; Then in your original session run: - ALTER ROLE r1 NOSUPERUSER; Finally in the r1 session run: - CREATE TABLE t (); Postgres will then panic with the following logs: 2023-07-08 16:33:27.787 EDT [157141] ERROR: permission denied for schema public at character 14 2023-07-08 16:33:27.787 EDT [157141] STATEMENT: CREATE TABLE t (); 2023-07-08 16:33:27.787 EDT [157141] ERROR: permission denied to set session authorization 2023-07-08 16:33:27.787 EDT [157141] WARNING: AbortTransaction while in ABORT state 2023-07-08 16:33:27.787 EDT [157141] ERROR: permission denied to set session authorization 2023-07-08 16:33:27.787 EDT [157141] WARNING: AbortTransaction while in ABORT state 2023-07-08 16:33:27.787 EDT [157141] ERROR: permission denied to set session authorization 2023-07-08 16:33:27.787 EDT [157141] WARNING: AbortTransaction while in ABORT state 2023-07-08 16:33:27.787 EDT [157141] ERROR: permission denied to set session authorization 2023-07-08 16:33:27.787 EDT [157141] PANIC: ERRORDATA_STACK_SIZE exceeded 2023-07-08 16:33:27.882 EDT [156878] LOG: server process (PID 157141) was terminated by signal 6: Aborted 2023-07-08 16:33:27.882 EDT [156878] DETAIL: Failed process was running: CREATE TABLE t (); I think the issue here is that if a session loses the ability to set their session authorization in the middle of a transaction, then rolling back the transaction may fail and cause the server to panic. That's probably what the deleted comment mean when it said: > * It's OK because the check does not require catalog access and can't > * fail during an end-of-transaction GUC reversion Interestingly, if the r1 session manually types `ROLLBACK` instead of executing a command that fails, then everything is fine and there's no panic. I'm not familiar enough with transaction handling to know why there would be a difference there. Thanks, Joe Koshakow --0000000000002d85d505ffffd071 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've discovered an issue with this approach. Let's= say you have some
session open that is connected as a superuser and you= run the following commands:

=C2=A0 - CREATE ROLE r1 LOGIN SUPERUSER= ;
=C2=A0 - CREATE ROLE r2;
=C2=A0 - CREATE ROLE r3;

Then you o= pen another session connected with user r1 and run the
following command= s:

=C2=A0 - SET SESSION AUTHROIZATION r2;
=C2=A0 - BEGIN;
=C2= =A0 - SET SESSION AUTHORIZATION r3;

Then in your original session ru= n:

=C2=A0 - ALTER ROLE r1 NOSUPERUSER;

Finally in the r1 sess= ion run:

=C2=A0 - CREATE TABLE t ();

Postgres will then panic= with the following logs:

2023-07-08 16:33:27.787 EDT [157141] ERROR= : =C2=A0permission denied for schema public at character 14
2023-07-08 1= 6:33:27.787 EDT [157141] STATEMENT: =C2=A0CREATE TABLE t ();
2023-07-08 = 16:33:27.787 EDT [157141] ERROR: =C2=A0permission denied to set session aut= horization
2023-07-08 16:33:27.787 EDT [157141] WARNING: =C2=A0AbortTran= saction while in ABORT state
2023-07-08 16:33:27.787 EDT [157141] ERROR:= =C2=A0permission denied to set session authorization
2023-07-08 16:33:2= 7.787 EDT [157141] WARNING: =C2=A0AbortTransaction while in ABORT state
= 2023-07-08 16:33:27.787 EDT [157141] ERROR: =C2=A0permission denied to set = session authorization
2023-07-08 16:33:27.787 EDT [157141] WARNING: =C2= =A0AbortTransaction while in ABORT state
2023-07-08 16:33:27.787 EDT [15= 7141] ERROR: =C2=A0permission denied to set session authorization
2023-0= 7-08 16:33:27.787 EDT [157141] PANIC: =C2=A0ERRORDATA_STACK_SIZE exceeded2023-07-08 16:33:27.882 EDT [156878] LOG: =C2=A0server process (PID 15714= 1) was terminated by signal 6: Aborted
2023-07-08 16:33:27.882 EDT [1568= 78] DETAIL: =C2=A0Failed process was running: CREATE TABLE t ();

I t= hink the issue here is that if a session loses the ability to set
their = session authorization in the middle of a transaction, then
rolling back = the transaction may fail and cause the server to panic.
That's proba= bly what the deleted comment mean when it said:

> * It's OK b= ecause the check does not require catalog access and can't
>= * fail during an end-of-transaction GUC reversion

Interestingly, if the r1 session manually types `ROLLBACK` instead of
e= xecuting a command that fails, then everything is fine and there's nopanic. I'm not familiar enough with transaction handling to know why<= br>there would be a difference there.

Thanks,
Joe Koshakow
--0000000000002d85d505ffffd071--