Thread
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revise the permission checking on user mapping DDL commands.
- 93a6be63a55a 8.4.0 cited
-
BUG #14600: Passwords in user mappings leaked by psql \deu+ command
andrew.wheelwright@familysearch.org — 2017-03-28T05:38:14Z
The following bug has been logged on the website: Bug reference: 14600 Logged by: Andrew Wheelwright Email address: andrew.wheelwright@familysearch.org PostgreSQL version: 9.5.3 Operating system: CentOS 6.7 Description: Scenario: I'm working with a multi-server scenario where we have several classes of user. For the sake of simplicity I'll call one class power_user and the other standard_user. Also for the sake of simplicity, imagine the multiple servers are called Alice, Bob, and Chuck. The typical daily use case involve our standard users creating a foreign table on Alice which references another table on Bob, copying said table (e.g. create table as ...), dropping the foreign table to Bob, manipulating data in the table on Alice (i.e. modifying millions of records), creating another foreign table to Chuck, and copying the data from the table on Alice to the table on Chuck before dropping both the foreign table and the local table on Alice. For our standard users to do their work, they must be able to create these foreign tables (and no, they're not connecting to the same tables on Bob or Chuck). Now, the power_user role has more privileges than the standard_user role. Specifically, the power_user has grants to other schemas on Alice and Chuck. Both the power_user and the standard_user have usage granted on the foreign servers Bob and Chuck. The Problem: If a standard user logs into Alice using command line client, psql, and runs the command \deu+, the password for both the standard_user and the power_user will be visible in the displayed user mapping. The user could then log out of Alice and log back in as a power_user. As far as I can determine, anyone with usage granted on the foreign server can see ALL passwords for that foreign server's user mappings. Note: querying the information schema for user mappings does not display this same security vulnerability. It seems psql is getting the information through some other means.
-
Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Feike Steenbergen <feikesteenbergen@gmail.com> — 2017-03-29T14:54:03Z
> If a standard user logs into Alice using command line client, psql, and runs > the command \deu+, the password for both the standard_user and the > power_user will be visible in the displayed user mapping. \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of pg_user_mapping. The permissions on pg_user_mapping (the table) seem sane, they do not allow you to see the values. The permissions on pg_user_mappings (the view) are too wide it seems. you could - for your current environment - use the following workaround on all your databases: REVOKE SELECT ON pg_user_mappings FROM public; I do think this needs a fix however, these credentials should not be visible to public. regards, Feike
-
Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Feike Steenbergen <feikesteenbergen@gmail.com> — 2017-03-29T17:53:50Z
Attached a patch which copies the logic from commit 93a6be63a55a8cd0d73b3fa81eb6a46013a3a974. In the current implementation we only consider privileges of the foreign server in determining whether or not to show the user mapping details. This patch copies the same logic (and documentation) used in commit 93a6be63a55a8cd0d73b3fa81eb6a46013a3a974 to not always show the user mapping options. regards, Feike
-
Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Noah Misch <noah@leadboat.com> — 2017-04-08T19:34:07Z
On Wed, Mar 29, 2017 at 04:54:03PM +0200, Feike Steenbergen wrote: > > If a standard user logs into Alice using command line client, psql, and > runs > > the command \deu+, the password for both the standard_user and the > > power_user will be visible in the displayed user mapping. > > \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of > pg_user_mapping. Thanks for the report; the next back-branch releases will contain a fix.