Thread: "setuid" functions, a solution to the RI privilege problem

"setuid" functions, a solution to the RI privilege problem

From
Peter Eisentraut
Date:
Email was fried, so one more time...

-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/

---------- Forwarded message ----------
Date: Wed, 6 Sep 2000 16:19:08 +0200 (CEST)
From: Peter Eisentraut <peter_e@gmx.net>
To: PostgreSQL Development <pgsql-hackers@postgresql.org>
Subject: "setuid" functions, a solution to the RI privilege problem

With the code cleanup that is just coming through it is now easily
possible to change the current user id during a session/connection. Hence
we can now attack the issue of "setuid" functions, which would also
provide a means to circumvent the well-known RI privilege problem.

I haven't looked closely, but I envision it working like this: Add a
boolean attribute to pg_proc, maybe "setuid", but I'd rather avoid that
name. If it is false then everything happens as usual. If it is true then
the function manager saves the uid before the function call, sets the
current uid to the uid of the function creator, and restores it
afterwards. It might end up touching only a few dozen lines in fmgr.c.

As for syntax, we can easily do with the "CREATE FUNCTION WITH" mechanism,
until we implement the standard syntax.

What this means in particular for the RI triggers is that they would then
always execute with the permission of the bootstrap user (usually
"postgres"), which would give them a free ticket. OTOH, that would commit
us that the "postgres" user always has to be a superuser, which should be
okay I should think.

For those interested in the standards, I append here a relevant section.
Note that it actually requires SQL language functions to be "setuid" by
default, but I think we can safely ignore that little artifact.

[4.23]        When the <routine body> of an SQL-invoked routine is executed and        the new SQL-session context for
theSQL-session is created, the        SQL-session user identifier in the new SQL-session context is set        to the
currentuser identifier in the SQL-session context that was        active when the SQL-session caused the execution of
the<routine        body>. The authorization stack of this new SQL-session context is        initially set to empty and
anew pair of identifiers is immediately        appended to the authorization stack such that:        -  The user
identifieris the newly initialized SQL-session user           identifier.        -  The role name is the current role
nameof the SQL-session           context that was active when the SQL-session caused the           execution of the
<routinebody>.        The identifiers in this new entry of the authorization stack        are then modified depending
onwhether the SQL-invoked routine        is an SQL routine or an external routine. If the SQL-invoked        routine is
anSQL routine, then, if the routine authorization        identifier is a user identifier, the user identifier is set to
      the routine authorization identifier and the role name is set to        null; otherwise, the role name is set to
theroutine authorization        and the user identifier is set to null.        If the SQL-invoked routine is an
externalroutine, then the        identifiers are determined according to the external security        characteristic of
theSQL-invoked routine:        -  If the external security characteristic is DEFINER, then:           o If the routine
authorizationidentifier is a user identifier,             then the user identifier is set to the routine authorization
          identifier and the role name is set to the null value.           o Otherwise, the role name is set to the
routineauthorization             identifier and the user identifier is set to the null value.        -  If the external
securitycharacteristic is INVOKER, then the           identifiers remain unchanged.        -  If the external security
characteristicis IMPLEMENTATION           DEFINED, then the identifiers are set to implementation-defined
values.

[11.49]        <external security clause> ::=               EXTERNAL SECURITY DEFINER             | EXTERNAL SECURITY
INVOKER            | EXTERNAL SECURITY IMPLEMENTATION DEFINED
 


-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/



Re: "setuid" functions, a solution to the RI privilege problem

From
"Ross J. Reedstrom"
Date:
On Fri, Sep 08, 2000 at 07:14:54PM +0200, Peter Eisentraut wrote:
> Date: Wed, 6 Sep 2000 16:19:08 +0200 (CEST)
> From: Peter Eisentraut <peter_e@gmx.net>
> To: PostgreSQL Development <pgsql-hackers@postgresql.org>
> Subject: "setuid" functions, a solution to the RI privilege problem
> 
> With the code cleanup that is just coming through it is now easily
> possible to change the current user id during a session/connection. Hence
> we can now attack the issue of "setuid" functions, which would also
> provide a means to circumvent the well-known RI privilege problem.
> 

This sounds good.

> I haven't looked closely, but I envision it working like this: Add a
> boolean attribute to pg_proc, maybe "setuid", but I'd rather avoid that
> name. If it is false then everything happens as usual. If it is true then
> the function manager saves the uid before the function call, sets the
> current uid to the uid of the function creator, and restores it
> afterwards. It might end up touching only a few dozen lines in fmgr.c.
> 

Good for functions. Rather than a boolean, how about something to store
the three standard defined behaviors DEFINER,INVOKER,IMPLEMENTATION
DEFINED: "proauth" int, with #DEFINES, perhaps? Or, we could store
the userid that this procedure will run as, with null signifying
invoker. (BTW, that's the first time I've seen 'IMPLEMENTATION DEFINED'
in a standard leaking out into the defined grammar!)

I have some concerns about views, see below.

> 
> For those interested in the standards, I append here a relevant section.
> Note that it actually requires SQL language functions to be "setuid" by
> default, but I think we can safely ignore that little artifact.
> 

Well, currently, views access the tables in their FROM clause with the
priviliges of the creating user, which means 'setuid' by default. As I
recently found out, subselects in a view definition do _not_ run as the
creating user, however.

I wonder if your approach might also be useful for views? I realize this
is off topic for your suggestion for functions. And I have a sneaking
suspicion that the only fix for VIEWs requires the planner rewrite Tom's
been working on.

Ross
-- 
Ross J. Reedstrom, Ph.D., <reedstrm@rice.edu> 
NSBRI Research Scientist/Programmer
Computer and Information Technology Institute
Rice University, 6100 S. Main St.,  Houston, TX 77005


Re: "setuid" functions, a solution to the RI privilege problem

From
Peter Eisentraut
Date:
Ross J. Reedstrom writes:

> This sounds good.

The sad part of this story is that, while setuid functions work well for
me in my tree, they cannot be used for the RI problem after all. The
problem is that the lookup table for builtin function is already generated
at compile time (Gen_fmgrtab.sh), whereas we don't know the user id of
their owner until initdb at the earliest. Hence setuid functions don't
work for builtins, currently.

(With 7.2 I plan to get rid of pg_shadow.usesysid and identify users via
pg_shadow.oid and the superuser oid will be hard-coded into
include/catalog/pg_shadow.h, so at that point they will work.)

An alternative answer would be to tie the user id not to the owner of the
function but to the owner of the trigger, as an additional feature.


> Good for functions. Rather than a boolean, how about something to store
> the three standard defined behaviors DEFINER,INVOKER,IMPLEMENTATION
> DEFINED: "proauth" int, with #DEFINES, perhaps? Or, we could store
> the userid that this procedure will run as, with null signifying
> invoker.

Well, the standards defines these three behaviours, in terms of its
"authorization stack":

* INVOKER -- nothing changes when the function is called

* DEFINER -- push function owner's identifier on top of stack

* IMPLEMENTATION DEFINED -- put whatever you want on the stack

Since IMPLEMENTATION DEFINED is the default it has to be what we have now,
which in turn is INVOKER. So ISTM that we do not have 3 options really.

> (BTW, that's the first time I've seen 'IMPLEMENTATION DEFINED'
> in a standard leaking out into the defined grammar!)

I have a sneaking suspicion that this was done because certain vendors
with large interests in the SQL specification process had completely
incompatible behaviours by default that would not fit in with the SQL
model at all, so they could only be described by "do what you want". ;-)

> I have some concerns about views, see below.

No clue about views... :-\


-- 
Peter Eisentraut      peter_e@gmx.net       http://yi.org/peter-e/