diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2017-11-09 12:56:07 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2017-11-09 12:56:07 -0500 |
| commit | ae20b23a9e7029f31ee902da08a464d968319f56 (patch) | |
| tree | 7e4d38dbef7026c7521d0157b9e8ec616d7488b8 /src/include/storage/large_object.h | |
| parent | 5ecc0d738e5864848bbc2d1d97e56d5846624ba2 (diff) | |
| download | postgresql-ae20b23a9e7029f31ee902da08a464d968319f56.tar.gz postgresql-ae20b23a9e7029f31ee902da08a464d968319f56.zip | |
Refactor permissions checks for large objects.
Up to now, ACL checks for large objects happened at the level of
the SQL-callable functions, which led to CVE-2017-7548 because of a
missing check. Push them down to be enforced in inv_api.c as much
as possible, in hopes of preventing future bugs. This does have the
effect of moving read and write permission errors to happen at lo_open
time not loread or lowrite time, but that seems acceptable.
Michael Paquier and Tom Lane
Discussion: https://postgr.es/m/CAB7nPqRHmNOYbETnc_2EjsuzSM00Z+BWKv9sy6tnvSd5gWT_JA@mail.gmail.com
Diffstat (limited to 'src/include/storage/large_object.h')
| -rw-r--r-- | src/include/storage/large_object.h | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/include/storage/large_object.h b/src/include/storage/large_object.h index 796a8fdeea7..01d0985b440 100644 --- a/src/include/storage/large_object.h +++ b/src/include/storage/large_object.h @@ -27,9 +27,9 @@ * offset is the current seek offset within the LO * flags contains some flag bits * - * NOTE: in current usage, flag bit IFS_RDLOCK is *always* set, and we don't - * bother to test for it. Permission checks are made at first read or write - * attempt, not during inv_open(), so we have other bits to remember that. + * NOTE: as of v11, permission checks are made when the large object is + * opened; therefore IFS_RDLOCK/IFS_WRLOCK indicate that read or write mode + * has been requested *and* the corresponding permission has been checked. * * NOTE: before 7.1, we also had to store references to the separate table * and index of a specific large object. Now they all live in pg_largeobject @@ -47,8 +47,6 @@ typedef struct LargeObjectDesc /* bits in flags: */ #define IFS_RDLOCK (1 << 0) /* LO was opened for reading */ #define IFS_WRLOCK (1 << 1) /* LO was opened for writing */ -#define IFS_RD_PERM_OK (1 << 2) /* read permission has been verified */ -#define IFS_WR_PERM_OK (1 << 3) /* write permission has been verified */ } LargeObjectDesc; @@ -79,6 +77,11 @@ typedef struct LargeObjectDesc /* + * GUC: backwards-compatibility flag to suppress LO permission checks + */ +extern bool lo_compat_privileges; + +/* * Function definitions... */ |