Skip to content

Commit e0bda4d

Browse files
kulaginmkulaginm
committed
[PGPRO-5673] add missing grants (caused by CVE-2018-1058 fixes #415 PGPRO-5315)
1 parent 6081c08 commit e0bda4d

File tree

6 files changed

+81
-20
lines changed

6 files changed

+81
-20
lines changed

.travis.yml

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -26,13 +26,45 @@ notifications:
2626

2727
# Default MODE is basic, i.e. all tests with PG_PROBACKUP_TEST_BASIC=ON
2828
env:
29-
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE
30-
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE
31-
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE
32-
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE
33-
- PG_VERSION=10 PG_BRANCH=REL_10_STABLE
34-
- PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE
35-
- PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE
29+
# - PG_VERSION=14 PG_BRANCH=REL_14_STABLE
30+
# - PG_VERSION=13 PG_BRANCH=REL_13_STABLE
31+
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE
32+
# - PG_VERSION=11 PG_BRANCH=REL_11_STABLE
33+
# - PG_VERSION=10 PG_BRANCH=REL_10_STABLE
34+
# - PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE
35+
# - PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE
36+
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE MODE=auth_test
37+
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE MODE=auth_test
38+
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=auth_test
39+
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE MODE=auth_test
40+
- PG_VERSION=10 PG_BRANCH=REL_10_STABLE MODE=auth_test
41+
- PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE MODE=auth_test
42+
- PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE MODE=auth_test
43+
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE MODE=backup
44+
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE MODE=backup
45+
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=backup
46+
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE MODE=backup
47+
- PG_VERSION=10 PG_BRANCH=REL_10_STABLE MODE=backup
48+
- PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE MODE=backup
49+
- PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE MODE=backup
50+
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE MODE=checkdb
51+
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE MODE=checkdb
52+
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=checkdb
53+
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE MODE=checkdb
54+
- PG_VERSION=10 PG_BRANCH=REL_10_STABLE MODE=checkdb
55+
- PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE MODE=checkdb
56+
- PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE MODE=checkdb
57+
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE MODE=restore
58+
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE MODE=restore
59+
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=restore
60+
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE MODE=restore
61+
- PG_VERSION=10 PG_BRANCH=REL_10_STABLE MODE=restore
62+
- PG_VERSION=9.6 PG_BRANCH=REL9_6_STABLE MODE=restore
63+
- PG_VERSION=9.5 PG_BRANCH=REL9_5_STABLE MODE=restore
64+
- PG_VERSION=14 PG_BRANCH=REL_14_STABLE MODE=ptrack
65+
- PG_VERSION=13 PG_BRANCH=REL_13_STABLE MODE=ptrack
66+
- PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=ptrack
67+
- PG_VERSION=11 PG_BRANCH=REL_11_STABLE MODE=ptrack
3668
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=archive
3769
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=backup
3870
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=compression
@@ -43,7 +75,7 @@ env:
4375
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=replica
4476
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=retention
4577
# - PG_VERSION=12 PG_BRANCH=REL_12_STABLE MODE=restore
46-
- PG_VERSION=15 PG_BRANCH=master
78+
# - PG_VERSION=15 PG_BRANCH=master
4779

4880
jobs:
4981
allow_failures:

doc/pgprobackup.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -614,6 +614,8 @@ GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_xlog() TO backup;
614614
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO backup;
615615
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup;
616616
GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;
617+
GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;
618+
GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;
617619
COMMIT;
618620
</programlisting>
619621
<para>
@@ -634,6 +636,8 @@ GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO backup;
634636
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup;
635637
GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;
636638
GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_checkpoint() TO backup;
639+
GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;
640+
GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;
637641
COMMIT;
638642
</programlisting>
639643
<para>
@@ -654,6 +658,8 @@ GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO backup;
654658
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup;
655659
GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;
656660
GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_checkpoint() TO backup;
661+
GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;
662+
GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;
657663
COMMIT;
658664
</programlisting>
659665
<para>
@@ -5541,6 +5547,8 @@ GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO backup;
55415547
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup;
55425548
GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;
55435549
GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_checkpoint() TO backup;
5550+
GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;
5551+
GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;
55445552
COMMIT;
55455553
</programlisting>
55465554
</step>

tests/backup.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2028,7 +2028,9 @@ def test_backup_with_least_privileges_role(self):
20282028
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_start_backup(text, boolean) TO backup; "
20292029
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_stop_backup() TO backup; "
20302030
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
2031-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
2031+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
2032+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
2033+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
20322034
)
20332035
# PG 9.6
20342036
elif self.get_version(node) > 90600 and self.get_version(node) < 100000:
@@ -2065,7 +2067,9 @@ def test_backup_with_least_privileges_role(self):
20652067
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_xlog() TO backup; "
20662068
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_xlog_replay_location() TO backup; "
20672069
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
2068-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
2070+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
2071+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
2072+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
20692073
)
20702074
# >= 10
20712075
else:
@@ -2101,7 +2105,9 @@ def test_backup_with_least_privileges_role(self):
21012105
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_wal() TO backup; "
21022106
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_wal_replay_lsn() TO backup; "
21032107
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
2104-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
2108+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
2109+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
2110+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
21052111
)
21062112

21072113
if self.ptrack:

tests/checkdb.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -570,7 +570,8 @@ def test_checkdb_with_least_privileges(self):
570570
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_is_in_recovery() TO backup; '
571571
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_system() TO backup; '
572572
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass) TO backup; '
573-
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup;'
573+
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup; '
574+
'GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;'
574575
)
575576
# PG 9.6
576577
elif self.get_version(node) > 90600 and self.get_version(node) < 100000:
@@ -596,7 +597,8 @@ def test_checkdb_with_least_privileges(self):
596597
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_is_in_recovery() TO backup; '
597598
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_system() TO backup; '
598599
# 'GRANT EXECUTE ON FUNCTION bt_index_check(regclass) TO backup; '
599-
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup;'
600+
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup; '
601+
'GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;'
600602
)
601603
# >= 10
602604
else:
@@ -622,7 +624,8 @@ def test_checkdb_with_least_privileges(self):
622624
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_is_in_recovery() TO backup; '
623625
'GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_system() TO backup; '
624626
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass) TO backup; '
625-
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup;'
627+
'GRANT EXECUTE ON FUNCTION bt_index_check(regclass, bool) TO backup; '
628+
'GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup;'
626629
)
627630

628631
if ProbackupTest.enterprise:

tests/ptrack.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -410,7 +410,9 @@ def test_ptrack_unprivileged(self):
410410
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_start_backup(text, boolean) TO backup; "
411411
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_stop_backup() TO backup; "
412412
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
413-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
413+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
414+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
415+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
414416
)
415417
# PG 9.6
416418
elif self.get_version(node) > 90600 and self.get_version(node) < 100000:
@@ -446,7 +448,9 @@ def test_ptrack_unprivileged(self):
446448
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_xlog() TO backup; "
447449
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_xlog_replay_location() TO backup; "
448450
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
449-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
451+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
452+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
453+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
450454
)
451455
# >= 10
452456
else:
@@ -480,7 +484,9 @@ def test_ptrack_unprivileged(self):
480484
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_wal() TO backup; "
481485
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_wal_replay_lsn() TO backup; "
482486
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
483-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
487+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
488+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
489+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
484490
)
485491

486492
if node.major_version < 11:

tests/restore.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3230,7 +3230,9 @@ def test_missing_database_map(self):
32303230
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_start_backup(text, boolean) TO backup; "
32313231
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_stop_backup() TO backup; "
32323232
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
3233-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
3233+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
3234+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
3235+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
32343236
)
32353237
# PG 9.6
32363238
elif self.get_version(node) > 90600 and self.get_version(node) < 100000:
@@ -3267,7 +3269,9 @@ def test_missing_database_map(self):
32673269
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_xlog() TO backup; "
32683270
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_xlog_replay_location() TO backup; "
32693271
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
3270-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
3272+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
3273+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
3274+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
32713275
)
32723276
# >= 10
32733277
else:
@@ -3302,7 +3306,9 @@ def test_missing_database_map(self):
33023306
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_wal() TO backup; "
33033307
"GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_wal_replay_lsn() TO backup; "
33043308
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO backup; "
3305-
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup;"
3309+
"GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO backup; "
3310+
"GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO backup; "
3311+
"GRANT EXECUTE ON FUNCTION pg_catalog.oideq(oid, oid) TO backup;"
33063312
)
33073313

33083314
if self.ptrack:

0 commit comments

Comments
 (0)