adminpack: Revoke EXECUTE on pg_logfile_rotate()

sfrost · sfrost · commit 7b347409fa27 · 2018-05-07T10:10:33.000-04:00
In 9.6, we moved a number of functions over to using the GRANT system to control access instead of having hard-coded superuser checks. As it turns out, adminpack was creating another function in the catalog for one of those backend functions where the superuser check was removed, specifically pg_rotate_logfile(), but it didn't get the memo about having to REVOKE EXECUTE on the alternative-name function (pg_logfile_rotate()), meaning that in any installations with adminpack on 9.6 and higher, any user is able to run the pg_logfile_rotate() function, which then calls pg_rotate_logfile() and rotates the logfile. Fix by adding a new version of adminpack (1.1) which handles the REVOKE. As this function should have only been available to the superuser, this is a security issue, albeit a minor one. In HEAD, move the changes implemented for adminpack up to be adminpack 2.0 instead of 1.1. Security: CVE-2018-1115
diff --git a/contrib/adminpack/Makefile b/contrib/adminpack/Makefile
@@ -5,7 +5,7 @@ OBJS = adminpack.o $(WIN32RES)
 PG_CPPFLAGS = -I$(libpq_srcdir)
 
 EXTENSION = adminpack
-DATA = adminpack--1.0.sql adminpack--1.0--1.1.sql
+DATA = adminpack--1.0.sql adminpack--1.0--1.1.sql adminpack--1.1--2.0.sql
 PGFILEDESC = "adminpack - support functions for pgAdmin"
 
 REGRESS = adminpack
diff --git a/contrib/adminpack/adminpack--1.0--1.1.sql b/contrib/adminpack/adminpack--1.0--1.1.sql
@@ -3,49 +3,4 @@
 -- complain if script is sourced in psql, rather than via ALTER EXTENSION
 \echo Use "ALTER EXTENSION adminpack UPDATE TO '1.1'" to load this file. \quit
 
-/* ***********************************************
- * Administrative functions for PostgreSQL
- * *********************************************** */
-
-/* generic file access functions */
-
-CREATE OR REPLACE FUNCTION pg_catalog.pg_file_write(text, text, bool)
-RETURNS bigint
-AS 'MODULE_PATHNAME', 'pg_file_write_v1_1'
-LANGUAGE C VOLATILE STRICT;
-
-REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_write(text, text, bool) FROM PUBLIC;
-
-CREATE OR REPLACE FUNCTION pg_catalog.pg_file_rename(text, text, text)
-RETURNS bool
-AS 'MODULE_PATHNAME', 'pg_file_rename_v1_1'
-LANGUAGE C VOLATILE;
-
-REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_rename(text, text, text) FROM PUBLIC;
-
-CREATE OR REPLACE FUNCTION pg_catalog.pg_file_rename(text, text)
-RETURNS bool
-AS 'SELECT pg_catalog.pg_file_rename($1, $2, NULL::pg_catalog.text);'
-LANGUAGE SQL VOLATILE STRICT;
-
-CREATE OR REPLACE FUNCTION pg_catalog.pg_file_unlink(text)
-RETURNS bool
-AS 'MODULE_PATHNAME', 'pg_file_unlink_v1_1'
-LANGUAGE C VOLATILE STRICT;
-
-REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_unlink(text) FROM PUBLIC;
-
-CREATE OR REPLACE FUNCTION pg_catalog.pg_logdir_ls()
-RETURNS setof record
-AS 'MODULE_PATHNAME', 'pg_logdir_ls_v1_1'
-LANGUAGE C VOLATILE STRICT;
-
-REVOKE EXECUTE ON FUNCTION pg_catalog.pg_logdir_ls() FROM PUBLIC;
-
-/* These functions are now in the backend and callers should update to use those */
-
-DROP FUNCTION pg_file_read(text, bigint, bigint);
-
-DROP FUNCTION pg_file_length(text);
-
-DROP FUNCTION pg_logfile_rotate();
+REVOKE EXECUTE ON FUNCTION pg_catalog.pg_logfile_rotate() FROM PUBLIC;
diff --git a/contrib/adminpack/adminpack--1.1--2.0.sql b/contrib/adminpack/adminpack--1.1--2.0.sql
@@ -0,0 +1,51 @@
+/* contrib/adminpack/adminpack--1.1--2.0.sql */
+
+-- complain if script is sourced in psql, rather than via ALTER EXTENSION
+\echo Use "ALTER EXTENSION adminpack UPDATE TO '2.0'" to load this file. \quit
+
+/* ***********************************************
+ * Administrative functions for PostgreSQL
+ * *********************************************** */
+
+/* generic file access functions */
+
+CREATE OR REPLACE FUNCTION pg_catalog.pg_file_write(text, text, bool)
+RETURNS bigint
+AS 'MODULE_PATHNAME', 'pg_file_write_v1_1'
+LANGUAGE C VOLATILE STRICT;
+
+REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_write(text, text, bool) FROM PUBLIC;
+
+CREATE OR REPLACE FUNCTION pg_catalog.pg_file_rename(text, text, text)
+RETURNS bool
+AS 'MODULE_PATHNAME', 'pg_file_rename_v1_1'
+LANGUAGE C VOLATILE;
+
+REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_rename(text, text, text) FROM PUBLIC;
+
+CREATE OR REPLACE FUNCTION pg_catalog.pg_file_rename(text, text)
+RETURNS bool
+AS 'SELECT pg_catalog.pg_file_rename($1, $2, NULL::pg_catalog.text);'
+LANGUAGE SQL VOLATILE STRICT;
+
+CREATE OR REPLACE FUNCTION pg_catalog.pg_file_unlink(text)
+RETURNS bool
+AS 'MODULE_PATHNAME', 'pg_file_unlink_v1_1'
+LANGUAGE C VOLATILE STRICT;
+
+REVOKE EXECUTE ON FUNCTION pg_catalog.pg_file_unlink(text) FROM PUBLIC;
+
+CREATE OR REPLACE FUNCTION pg_catalog.pg_logdir_ls()
+RETURNS setof record
+AS 'MODULE_PATHNAME', 'pg_logdir_ls_v1_1'
+LANGUAGE C VOLATILE STRICT;
+
+REVOKE EXECUTE ON FUNCTION pg_catalog.pg_logdir_ls() FROM PUBLIC;
+
+/* These functions are now in the backend and callers should update to use those */
+
+DROP FUNCTION pg_file_read(text, bigint, bigint);
+
+DROP FUNCTION pg_file_length(text);
+
+DROP FUNCTION pg_logfile_rotate();
diff --git a/contrib/adminpack/adminpack.control b/contrib/adminpack/adminpack.control
@@ -1,6 +1,6 @@
 # adminpack extension
 comment = 'administrative functions for PostgreSQL'
-default_version = '1.1'
+default_version = '2.0'
 module_pathname = '$libdir/adminpack'
 relocatable = false
 schema = pg_catalog
