packages/postgresql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
postgresql/0010-CVE-2020-14349-2.patch
s17723959267 35c3fe921c l
2020-09-10 14:49:21 +08:00

54 lines
2.4 KiB
Diff
Raw Blame History

From cec57b1a0fbcd3833086ba686897c5883e0a2afc Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Mon, 10 Aug 2020 09:22:54 -0700
Subject: [PATCH] Document clashes between logical replication and untrusted
users.
Back-patch to v10, which introduced logical replication.
Security: CVE-2020-14349
reason: fix CVE-2020-14349
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc
Signed-off-by: Noah Misch <noah@leadboat.com>
---
doc/src/sgml/logical-replication.sgml | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index 41770a4..f5086b2 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -490,11 +490,27 @@
<sect1 id="logical-replication-security">
<title>Security</title>
+ <para>
+ A user able to modify the schema of subscriber-side tables can execute
+ arbitrary code as a superuser. Limit ownership
+ and <literal>TRIGGER</literal> privilege on such tables to roles that
+ superusers trust. Moreover, if untrusted users can create tables, use only
+ publications that list tables explicitly. That is to say, create a
+ subscription <literal>FOR ALL TABLES</literal> only when superusers trust
+ every user permitted to create a non-temp table on the publisher or the
+ subscriber.
+ </para>
+
<para>
The role used for the replication connection must have
- the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be
- configured in <filename>pg_hba.conf</filename> and it must have the
- <literal>LOGIN</literal> attribute.
+ the <literal>REPLICATION</literal> attribute (or be a superuser). If the
+ role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>,
+ publisher row security policies can execute. If the role does not trust
+ all table owners, include <literal>options=-crow_security=off</literal> in
+ the connection string; if a table owner then adds a row security policy,
+ that setting will cause replication to halt rather than execute the policy.
+ Access for the role must be configured in <filename>pg_hba.conf</filename>
+ and it must have the <literal>LOGIN</literal> attribute.
</para>
<para>
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink