Postgres Pro
Downloads
Home   >   mailing lists

Re: BUG #15371: a user who not a member of pg_read_server_files rolecan create a new user into pg_read_server_files - Mailing list pgsql-bugs

From David G. Johnston
Subject Re: BUG #15371: a user who not a member of pg_read_server_files rolecan create a new user into pg_read_server_files
Date
Msg-id CAKFQuwZtXU8QD6kZ4BBNgq0F1xrwq+mrStUkTRt+-W3vSgeuaw@mail.gmail.com
Whole thread Raw
In response to BUG #15371: a user who not a member of pg_read_server_files role cancreate a new user into pg_read_server_files  (PG Bug reporting form <noreply@postgresql.org>)
List pgsql-bugs
Tree view
On Saturday, September 8, 2018, PG Bug reporting form <noreply@postgresql.org> wrote:

see the code src/backend/commands/user.c, the check privillige code is :
static void
AddRoleMems(const char *rolename, Oid roleid,
                        List *memberSpecs, List *memberIds,
                        Oid grantorId, bool admin_opt)
{
        else
        {
                if (!have_createrole_privilege() &&
                        !is_admin_of_role(grantorId, roleid))
                        ereport(ERROR,
                                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                                         errmsg("must have admin option on role \"%s\"",
                                                        rolename)));
        }

I think the line "if (!have_createrole_privilege() &&
!is_admin_of_role(grantorId, roleid))" should been modifed to "if
(!have_createrole_privilege() || !is_admin_of_role(grantorId, roleid))" .

Security code would ideally be written so not erroring requires an actual matched condition while leaving the default to be an error.  So, I think, the && is ok, remove both negations, put a commented no-op there, and move the error to an else block.

Whether that is sufficient for this bug I do not know, but it would be a more secure format.

David J.

pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #15372: pg_stat_statements extension ignore stats_temp_directorysetting and always write into pg_stat_tmp
Next
From: "David G. Johnston"
Date:
Subject: Re: BUG #15371: a user who not a member of pg_read_server_files rolecan create a new user into pg_read_server_files