Re: Unprivileged user can induce crash by using an SUSET param in PGOPTIONS - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Unprivileged user can induce crash by using an SUSET param in PGOPTIONS
Date
Msg-id 954936.1658597004@sss.pgh.pa.us
Whole thread Raw
In response to Re: Unprivileged user can induce crash by using an SUSET param in PGOPTIONS  (Nathan Bossart <nathandbossart@gmail.com>)
Responses Re: Unprivileged user can induce crash by using an SUSET param in PGOPTIONS
List pgsql-hackers
Nathan Bossart <nathandbossart@gmail.com> writes:
> On Fri, Jul 22, 2022 at 06:44:04PM -0400, Tom Lane wrote:
>> Another idea is to add a "bool interactive" parameter to InitPostgres,
>> thereby shoving the issue out to the call sites.  Still wouldn't
>> expose the am_walsender angle, but conceivably it'd be more
>> future-proof anyway?

> I hesitated to suggest this exactly because of the WAL sender problem, but
> it does seem slightly more future-proof, so +1 for this approach.

So about like this then.  (I spent some effort on cleaning up the
disjointed-to-nonexistent presentation of InitPostgres' parameters.)

            regards, tom lane

diff --git a/src/backend/bootstrap/bootstrap.c b/src/backend/bootstrap/bootstrap.c
index 088556ab54..58752368e7 100644
--- a/src/backend/bootstrap/bootstrap.c
+++ b/src/backend/bootstrap/bootstrap.c
@@ -354,7 +354,7 @@ BootstrapModeMain(int argc, char *argv[], bool check_only)
     if (pg_link_canary_is_frontend())
         elog(ERROR, "backend is incorrectly linked to frontend functions");

-    InitPostgres(NULL, InvalidOid, NULL, InvalidOid, NULL, false);
+    InitPostgres(NULL, InvalidOid, NULL, InvalidOid, false, false, NULL);

     /* Initialize stuff for bootstrap-file processing */
     for (i = 0; i < MAXATTR; i++)
diff --git a/src/backend/postmaster/autovacuum.c b/src/backend/postmaster/autovacuum.c
index 2e146aac93..70a9176c54 100644
--- a/src/backend/postmaster/autovacuum.c
+++ b/src/backend/postmaster/autovacuum.c
@@ -475,7 +475,7 @@ AutoVacLauncherMain(int argc, char *argv[])
     /* Early initialization */
     BaseInit();

-    InitPostgres(NULL, InvalidOid, NULL, InvalidOid, NULL, false);
+    InitPostgres(NULL, InvalidOid, NULL, InvalidOid, false, false, NULL);

     SetProcessingMode(NormalProcessing);

@@ -1694,12 +1694,13 @@ AutoVacWorkerMain(int argc, char *argv[])
         pgstat_report_autovac(dbid);

         /*
-         * Connect to the selected database
+         * Connect to the selected database, specifying no particular user
          *
          * Note: if we have selected a just-deleted database (due to using
          * stale stats info), we'll fail and exit here.
          */
-        InitPostgres(NULL, dbid, NULL, InvalidOid, dbname, false);
+        InitPostgres(NULL, dbid, NULL, InvalidOid, false, false,
+                     dbname);
         SetProcessingMode(NormalProcessing);
         set_ps_display(dbname);
         ereport(DEBUG1,
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 1c25457526..e541b16bdb 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -5654,7 +5654,11 @@ BackgroundWorkerInitializeConnection(const char *dbname, const char *username, u
                 (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
                  errmsg("database connection requirement not indicated during registration")));

-    InitPostgres(dbname, InvalidOid, username, InvalidOid, NULL, (flags & BGWORKER_BYPASS_ALLOWCONN) != 0);
+    InitPostgres(dbname, InvalidOid,    /* database to connect to */
+                 username, InvalidOid,    /* role to connect as */
+                 false,            /* never honor session_preload_libraries */
+                 (flags & BGWORKER_BYPASS_ALLOWCONN) != 0,    /* ignore datallowconn? */
+                 NULL);            /* no out_dbname */

     /* it had better not gotten out of "init" mode yet */
     if (!IsInitProcessingMode())
@@ -5677,7 +5681,11 @@ BackgroundWorkerInitializeConnectionByOid(Oid dboid, Oid useroid, uint32 flags)
                 (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
                  errmsg("database connection requirement not indicated during registration")));

-    InitPostgres(NULL, dboid, NULL, useroid, NULL, (flags & BGWORKER_BYPASS_ALLOWCONN) != 0);
+    InitPostgres(NULL, dboid,    /* database to connect to */
+                 NULL, useroid, /* role to connect as */
+                 false,            /* never honor session_preload_libraries */
+                 (flags & BGWORKER_BYPASS_ALLOWCONN) != 0,    /* ignore datallowconn? */
+                 NULL);            /* no out_dbname */

     /* it had better not gotten out of "init" mode yet */
     if (!IsInitProcessingMode())
diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c
index 8ba1c170f0..3772329759 100644
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@@ -4076,7 +4076,11 @@ PostgresMain(const char *dbname, const char *username)
      * it inside InitPostgres() instead.  In particular, anything that
      * involves database access should be there, not here.
      */
-    InitPostgres(dbname, InvalidOid, username, InvalidOid, NULL, false);
+    InitPostgres(dbname, InvalidOid,    /* database to connect to */
+                 username, InvalidOid,    /* role to connect as */
+                 !am_walsender, /* honor session_preload_libraries? */
+                 false,            /* don't ignore datallowconn */
+                 NULL);            /* no out_dbname */

     /*
      * If the PostmasterContext is still around, recycle the space; we don't
@@ -4112,12 +4116,6 @@ PostgresMain(const char *dbname, const char *username)
     if (am_walsender)
         InitWalSender();

-    /*
-     * process any libraries that should be preloaded at backend start (this
-     * likewise can't be done until GUC settings are complete)
-     */
-    process_session_preload_libraries();
-
     /*
      * Send this backend's cancellation info to the frontend.
      */
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index a5c208a20a..de797c5933 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -622,29 +622,45 @@ BaseInit(void)
  * InitPostgres
  *        Initialize POSTGRES.
  *
+ * Arguments:
+ *    in_dbname, dboid: specify database to connect to, as described below
+ *    username, useroid: specify role to connect as, as described below
+ *    load_session_libraries: TRUE to honor session_preload_libraries
+ *    override_allow_connections: TRUE to connect despite !datallowconn
+ *    out_dbname: optional output parameter, see below; pass NULL if not used
+ *
  * The database can be specified by name, using the in_dbname parameter, or by
- * OID, using the dboid parameter.  In the latter case, the actual database
+ * OID, using the dboid parameter.  Specify NULL or InvalidOid respectively
+ * for the unused parameter.  If dboid is provided, the actual database
  * name can be returned to the caller in out_dbname.  If out_dbname isn't
  * NULL, it must point to a buffer of size NAMEDATALEN.
  *
- * Similarly, the username can be passed by name, using the username parameter,
+ * Similarly, the role can be passed by name, using the username parameter,
  * or by OID using the useroid parameter.
  *
- * In bootstrap mode no parameters are used.  The autovacuum launcher process
- * doesn't use any parameters either, because it only goes far enough to be
- * able to read pg_database; it doesn't connect to any particular database.
- * In walsender mode only username is used.
+ * In bootstrap mode the database and username parameters are NULL/InvalidOid.
+ * The autovacuum launcher process doesn't specify these parameters either,
+ * because it only goes far enough to be able to read pg_database; it doesn't
+ * connect to any particular database.  An autovacuum worker specifies a
+ * database but not a username; conversely, a physical walsender specifies
+ * username but not database.
+ *
+ * By convention, load_session_libraries should be passed as true in
+ * "interactive" sessions, false in background processes such as autovacuum.
  *
- * As of PostgreSQL 8.2, we expect InitProcess() was already called, so we
- * already have a PGPROC struct ... but it's not completely filled in yet.
+ * We expect that InitProcess() was already called, so we already have a
+ * PGPROC struct ... but it's not completely filled in yet.
  *
  * Note:
  *        Be very careful with the order of calls in the InitPostgres function.
  * --------------------------------
  */
 void
-InitPostgres(const char *in_dbname, Oid dboid, const char *username,
-             Oid useroid, char *out_dbname, bool override_allow_connections)
+InitPostgres(const char *in_dbname, Oid dboid,
+             const char *username, Oid useroid,
+             bool load_session_libraries,
+             bool override_allow_connections,
+             char *out_dbname)
 {
     bool        bootstrap = IsBootstrapProcessingMode();
     bool        am_superuser;
@@ -1108,6 +1124,16 @@ InitPostgres(const char *in_dbname, Oid dboid, const char *username,
     /* Initialize this backend's session state. */
     InitializeSession();

+    /*
+     * If this is an interactive session, load any libraries that should be
+     * preloaded at backend start.  Since those are determined by GUCs, this
+     * can't happen until GUC settings are complete, but we want it to happen
+     * during the initial transaction in case anything that requires database
+     * access needs to be done.
+     */
+    if (load_session_libraries)
+        process_session_preload_libraries();
+
     /* report this backend in the PgBackendStatus array */
     if (!bootstrap)
         pgstat_bestart();
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index ea9a56d395..067b729d5a 100644
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -449,8 +449,11 @@ extern PGDLLIMPORT AuxProcType MyAuxProcType;
 /* in utils/init/postinit.c */
 extern void pg_split_opts(char **argv, int *argcp, const char *optstr);
 extern void InitializeMaxBackends(void);
-extern void InitPostgres(const char *in_dbname, Oid dboid, const char *username,
-                         Oid useroid, char *out_dbname, bool override_allow_connections);
+extern void InitPostgres(const char *in_dbname, Oid dboid,
+                         const char *username, Oid useroid,
+                         bool load_session_libraries,
+                         bool override_allow_connections,
+                         char *out_dbname);
 extern void BaseInit(void);

 /* in utils/init/miscinit.c */

pgsql-hackers by date:

Previous
From: Zheng Li
Date:
Subject: Re: Support logical replication of DDLs
Next
From: vignesh C
Date:
Subject: Re: Handle infinite recursion in logical replication setup