On Mon, 2023-11-06 at 18:29 +0100, Tomas Vondra wrote: > On 11/6/23 14:23, Laurenz Albe wrote: > > This behavior looks buggy to me. What do you think? > > I cannot imagine that it is a security problem, though. > > How could code getting executed under the wrong role not be a security > issue? Also, does this affect just the role, or are there some other > settings that may unexpectedly change (e.g. search_path)?
Here is a patch that fixes this problem by keeping track of the current role in the AfterTriggerSharedData. I have thought some more about the security aspects: 1. With the new code, you could call a SECURITY DEFINER function that modifies data on a table with a deferred trigger, then modify the trigger function before you commit and have your code run with elevated privileges. But I think that we need not worry about that. If a superuser performs DML on a table that an untrusted user controls, all bets are off anyway. The attacker might as well put the bad code into the trigger *before* calling the SECURITY DEFINER function. 2. The more serious concern is that the old code constitutes a narrow security hazard: a superuser could temporarily assume an unprivileged role to avoid risks while performing DML on a table controlled by an untrusted user, but for some reason resume being a superuser *before* COMMIT. Then a deferred trigger would inadvertently run with superuser privileges. That seems like a very unlikely scenario (who would RESET ROLE before committing in that situation?). Moreover, it seems like the current buggy behavior has been in place for decades without anybody noticing. I am not against backpatching this (the fix is simple enough), but I am not convinced that it is necessary. Yours, Laurenz Albe
From 71530f35ab003846d73f9444737e40557598d0f2 Mon Sep 17 00:00:00 2001 From: Laurenz Albe <laurenz.a...@cybertec.at> Date: Wed, 6 Mar 2024 14:09:43 +0100 Subject: [PATCH v1] Make AFTER triggers run with the correct user With deferred triggers, it is possible that the current role changes between the time when the trigger is queued and the time it is executed (for example, the triggering data modification could have been executed in a SECURITY DEFINER function). Up to now, deferred trigger functions would run with the current role set to whatever was active at commit time. That does not matter for regular constraints, whose correctness doesn't depend on the current role. But for user-written contraint triggers, the current role certainly matters. Security considerations: - The trigger function could be modified between the time the trigger is queued and the time it runs. If the trigger was executed by a privileged user, the new behavior could be used for privilege escalation. But if a privileged user executes DML on a table owned by an untrusted user, all bets are off anyway --- the malicious code could as well be in the trigger function from the beginning. So we don't consider this a security hazard. - The previous behavior could lead to code inadvertently running with elevated privileges if a privileged user temporarily assumes lower privileges while executing DML on an untrusted table, but the deferred trigger runs with the user's original privileges. However, that only applies if the privileged user commits *after* resuming the original role. Should this be backpatched as a security bug? Author: Laurenz Albe Discussion: https://postgr.es/m/77ee784cf248e842f74588418f55c2931e47bd78.camel%40cybertec.at --- src/backend/commands/trigger.c | 23 ++++++++ src/test/regress/expected/triggers.out | 81 ++++++++++++++++++++++++++ src/test/regress/sql/triggers.sql | 75 ++++++++++++++++++++++++ 3 files changed, 179 insertions(+) diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c index c344ff0944..68c89f1958 100644 --- a/src/backend/commands/trigger.c +++ b/src/backend/commands/trigger.c @@ -3640,6 +3640,7 @@ typedef struct AfterTriggerSharedData TriggerEvent ats_event; /* event type indicator, see trigger.h */ Oid ats_tgoid; /* the trigger's ID */ Oid ats_relid; /* the relation it's on */ + Oid ats_rolid; /* role to execute the trigger */ CommandId ats_firing_id; /* ID for firing cycle */ struct AfterTriggersTableData *ats_table; /* transition table access */ Bitmapset *ats_modifiedcols; /* modified columns */ @@ -4121,6 +4122,7 @@ afterTriggerAddEvent(AfterTriggerEventList *events, { if (newshared->ats_tgoid == evtshared->ats_tgoid && newshared->ats_relid == evtshared->ats_relid && + newshared->ats_rolid == evtshared->ats_rolid && newshared->ats_event == evtshared->ats_event && newshared->ats_table == evtshared->ats_table && newshared->ats_firing_id == 0) @@ -4295,6 +4297,8 @@ AfterTriggerExecute(EState *estate, int tgindx; bool should_free_trig = false; bool should_free_new = false; + Oid save_rolid; + int save_sec_context; /* * Locate trigger in trigdesc. @@ -4490,6 +4494,20 @@ AfterTriggerExecute(EState *estate, MemoryContextReset(per_tuple_context); + /* set the appropriate role if necessary */ + GetUserIdAndSecContext(&save_rolid, &save_sec_context); + if (save_rolid != evtshared->ats_rolid) + { + /* + * The role could have been dropped since the trigger was queued. + * In that case, give up and error out. + */ + pfree(GetUserNameFromId(evtshared->ats_rolid, false)); + + SetUserIdAndSecContext(evtshared->ats_rolid, + save_sec_context | SECURITY_LOCAL_USERID_CHANGE); + } + /* * Call the trigger and throw away any possibly returned updated tuple. * (Don't let ExecCallTriggerFunc measure EXPLAIN time.) @@ -4504,6 +4522,10 @@ AfterTriggerExecute(EState *estate, rettuple != LocTriggerData.tg_newtuple) heap_freetuple(rettuple); + /* reset the current role */ + if (save_rolid != evtshared->ats_rolid) + SetUserIdAndSecContext(save_rolid, save_sec_context); + /* * Release resources */ @@ -6431,6 +6453,7 @@ AfterTriggerSaveEvent(EState *estate, ResultRelInfo *relinfo, (trigger->tginitdeferred ? AFTER_TRIGGER_INITDEFERRED : 0); new_shared.ats_tgoid = trigger->tgoid; new_shared.ats_relid = RelationGetRelid(rel); + new_shared.ats_rolid = GetUserId(); new_shared.ats_firing_id = 0; if ((trigger->tgoldtable || trigger->tgnewtable) && transition_capture != NULL) diff --git a/src/test/regress/expected/triggers.out b/src/test/regress/expected/triggers.out index 78e9030923..63f37ead3f 100644 --- a/src/test/regress/expected/triggers.out +++ b/src/test/regress/expected/triggers.out @@ -3709,3 +3709,84 @@ Inherits: parent drop table parent, child; drop function f(); +-- test who runs deferred trigger functions +-- setup +create role groot; +create role outis; +create function whoami() returns trigger language plpgsql +as $$ +begin + raise warning 'I am %', current_user; + return null; +end; +$$; +alter function whoami() owner to outis; +create table defer_trig (id integer); +grant insert on defer_trig to public; +create constraint trigger whoami after insert on defer_trig + deferrable initially deferred + for each row + execute function whoami(); +-- deferred triggers must run as the user that queued the trigger +begin; +set role groot; +insert into defer_trig values (1); +reset role; +set role outis; +insert into defer_trig values (1); +reset role; +commit; +WARNING: I am groot +WARNING: I am outis +-- make sure that the user still exists at commit time +begin; +set role groot; +insert into defer_trig values (1); +reset role; +drop role groot; +do $$ +begin + -- catch the execption because it contains the role OID + set constraints all immediate; +exception when undefined_object then + raise warning 'user does not exist'; +end; +$$; +WARNING: user does not exist +rollback; +-- security definer functions override the user who queued the trigger +alter function whoami() security definer; +begin; +set role groot; +insert into defer_trig values (2); +reset role; +commit; +WARNING: I am outis +alter function whoami() security invoker; +-- make sure the current user is reset on error +create or replace function whoami() returns trigger language plpgsql +as $$ +begin + perform 1 / 0; + return null; +end; +$$; +begin; +set role groot; +insert into defer_trig values (2); +reset role; +commit; -- error expected +ERROR: division by zero +CONTEXT: SQL statement "SELECT 1 / 0" +PL/pgSQL function whoami() line 3 at PERFORM +select current_user = session_user; + ?column? +---------- + t +(1 row) + +-- clean up +drop table defer_trig; +drop function whoami(); +drop role outis; +drop role groot; diff --git a/src/test/regress/sql/triggers.sql b/src/test/regress/sql/triggers.sql index 46795a9c78..eb23339dc3 100644 --- a/src/test/regress/sql/triggers.sql +++ b/src/test/regress/sql/triggers.sql @@ -2802,3 +2802,78 @@ alter trigger parenttrig on parent rename to anothertrig; drop table parent, child; drop function f(); + +-- test who runs deferred trigger functions +-- setup +create role groot; +create role outis; +create function whoami() returns trigger language plpgsql +as $$ +begin + raise warning 'I am %', current_user; + return null; +end; +$$; +alter function whoami() owner to outis; +create table defer_trig (id integer); +grant insert on defer_trig to public; +create constraint trigger whoami after insert on defer_trig + deferrable initially deferred + for each row + execute function whoami(); + +-- deferred triggers must run as the user that queued the trigger +begin; +set role groot; +insert into defer_trig values (1); +reset role; +set role outis; +insert into defer_trig values (1); +reset role; +commit; + +-- make sure that the user still exists at commit time +begin; +set role groot; +insert into defer_trig values (1); +reset role; +drop role groot; +do $$ +begin + -- catch the execption because it contains the role OID + set constraints all immediate; +exception when undefined_object then + raise warning 'user does not exist'; +end; +$$; +rollback; + +-- security definer functions override the user who queued the trigger +alter function whoami() security definer; +begin; +set role groot; +insert into defer_trig values (2); +reset role; +commit; +alter function whoami() security invoker; + +-- make sure the current user is reset on error +create or replace function whoami() returns trigger language plpgsql +as $$ +begin + perform 1 / 0; + return null; +end; +$$; +begin; +set role groot; +insert into defer_trig values (2); +reset role; +commit; -- error expected +select current_user = session_user; + +-- clean up +drop table defer_trig; +drop function whoami(); +drop role outis; +drop role groot; -- 2.44.0
