8000 Use a separate interpreter for each calling SQL userid in plperl and … · rshsdev/postgres@b68319c · GitHub
[go: up one dir, main page]
Skip to content

Commit b68319c

Browse files
tglsfdctglsfdc
committed
Use a separate interpreter for each calling SQL userid in plperl and pltcl.
There are numerous methods by which a Perl or Tcl function can subvert the behavior of another such function executed later; for example, by redefining standard functions or operators called by the target function. If the target function is SECURITY DEFINER, or is called by such a function, this means that any ordinary SQL user with Perl or Tcl language usage rights can do essentially anything with the privileges of the target function's owner. To close this security hole, create a separate Perl or Tcl interpreter for each SQL userid under which plperl or pltcl functions are executed within a session. However, all plperlu or pltclu functions run within a session still share a single interpreter, since they all execute at the trust level of a database superuser anyway. Note: this change results in a functionality loss when libperl has been built without the "multiplicity" option: it's no longer possible to call plperl functions under different userids in one session, since such a libperl can't support multiple interpreters in one process. However, such a libperl already failed to support concurrent use of plperl and plperlu, so it's likely that few people use such versions with Postgres. Security: CVE-2010-3433
1 parent 8ecec04 commit b68319c

File tree

6 files changed

+635
-378
lines changed

6 files changed

+635
-378
lines changed

doc/src/sgml/installation.sgml

10000
Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -145,8 +145,12 @@ su - postgres
145145
<filename>libperl</filename> library must be a shared library
146146
also on most platforms. This appears to be the default in
147147
recent Perl versions, but it was not in earlier versions, and in
148-
general it is the choice of whomever installed Perl at your
149-
site.
148+
any case it is the choice of whomever installed Perl at your site.
149+
If you intend to make more than incidental use of
150+
<application>PL/Perl</application>, you should ensure that the
151+
<productname>Perl</productname> installation was built with the
152+
<literal>usemultiplicity</> option enabled (<literal>perl -V</>
153+
will show whether this is the case).
150154
</para>
151155

152156
<para>

doc/src/sgml/plperl.sgml

Lines changed: 42 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -261,21 +261,31 @@ CREATE FUNCTION badfunc() RETURNS integer AS '
261261
</para>
262262

263263
<note>
264-
<para>
265-
For security reasons, to stop a leak of privileged operations from
266-
<application>PL/PerlU</> to <application>PL/Perl</>, these two languages
267-
have to run in separate instances of the Perl interpreter. If your
268-
Perl installation has been appropriately compiled, this is not a problem.
269-
However, not all installations are compiled with the requisite flags.
270-
If <productname>PostgreSQL</> detects that this is the case then it will
271-
not start a second interpreter, but instead create an error. In
272-
consequence, in such an installation, you cannot use both
273-
<application>PL/PerlU</> and <application>PL/Perl</> in the same backend
274-
process. The remedy for this is to obtain a Perl installation created
275-
with the appropriate flags, namely either <literal>usemultiplicity</> or
276-
both <literal>usethreads</> and <literal>useithreads</>.
277-
For more details,see the <literal>perlembed</> manual page.
278-
</para>
264+
<para>
265+
While <application>PL/Perl</> functions run in a separate Perl
266+
interpreter for each SQL role, all <application>PL/PerlU</> functions
267+
executed in a given session run in a single Perl interpreter (which is
268+
not any of the ones used for <application>PL/Perl</> functions).
269+
This allows <application>PL/PerlU</> functions to share data freely,
270+
but no communication can occur between <application>PL/Perl</> and
271+
<application>PL/PerlU</> functions.
272+
</para>
273+
</note>
274+
275+
<note>
276+
<para>
277+
Perl cannot support multiple interpreters within one process unless
278+
it was built with the appropriate flags, namely either
279+
<literal>usemultiplicity</> or <literal>useithreads</>.
280+
(<literal>usemultiplicity</> is preferred unless you actually need
281+
to use threads. For more details, see the
282+
<citerefentry><refentrytitle>perlembed</></citerefentry> man page.)
283+
If <application>PL/Perl</> is used with a copy of Perl that was not built
284+
this way, then it is only possible to have one Perl interpreter per
285+
session, and so any one session can only execute either
286+
<application>PL/PerlU</> functions, or <application>PL/Perl</> functions
287+
that are all called by the same SQL role.
288+
</para>
279289
</note>
280290

281291
</sect1>
@@ -313,6 +323,23 @@ CREATE FUNCTION badfunc() RETURNS integer AS '
313323
</listitem>
314324
</itemizedlist>
315325
</para>
326+
327+
<para>
328+
For security reasons, PL/Perl executes functions called by any one SQL role
329+
in a separate Perl interpreter for that role. This prevents accidental or
330+
malicious interference by one user with the behavior of another user's
331+
PL/Perl functions. Each such interpreter has its own value of the
332+
<varname>%_SHARED</varname> variable and other global state. Thus, two
333+
PL/Perl functions will share the same value of <varname>%_SHARED</varname>
334+
if and only if they are executed by the same SQL role. In an application
335+
wherein a single session executes code under multiple SQL roles (via
336+
<literal>SECURITY DEFINER</> functions, use of <command>SET ROLE</>, etc)
337+
you may need to take explicit steps to ensure that PL/Perl functions can
338+
share data via <varname>%_SHARED</varname>. To do that, make sure that
339+
functions that should communicate are owned by the same user, and mark
340+
them <literal>SECURITY DEFINER</>. You must of course take care that
341+
such functions can't be used to do anything unintended.
342+
</para>
316343
</sect1>
317344

318345
</chapter>

doc/src/sgml/pltcl.sgml

Lines changed: 36 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -199,24 +199,48 @@ CREATE FUNCTION overpaid(employee) RETURNS boolean AS '
199199
Sometimes it
200200
is useful to have some global data that is held between two
201201
calls to a function or is shared between different functions.
202-
This is easily done since
203-
all PL/Tcl functions executed in one session share the same
204-
safe Tcl interpreter. So, any global Tcl variable is accessible to
205-
all PL/Tcl function calls and will persist for the duration of the
206-
SQL session. (Note that <application>PL/TclU</> functions likewise share
207-
global data, but they are in a different Tcl interpreter and cannot
208-
communicate with PL/Tcl functions.)
202+
This is easily done in PL/Tcl, but there are some restrictions that
203+
must be understood.
209204
</para>
205+
206+
<para>
207+
For security reasons, PL/Tcl executes functions called by any one SQL
208+
role in a separate Tcl interpreter for that role. This prevents
209+
accidental or malicious interference by one user with the behavior of
21 F438 0+
another user's PL/Tcl functions. Each such interpreter will have its own
211+
values for any <quote>global</> Tcl variables. Thus, two PL/Tcl
212+
functions will share the same global variables if and only if they are
213+
executed by the same SQL role. In an application wherein a single
214+
session executes code under multiple SQL roles (via <literal>SECURITY
215+
DEFINER</> functions, use of <command>SET ROLE</>, etc) you may need to
216+
take explicit steps to ensure that PL/Tcl functions can share data. To
217+
do that, make sure that functions that should communicate are owned by
218+
the same user, and mark them <literal>SECURITY DEFINER</>. You must of
219+
course take care that such functions can't be used to do anything
220+
unintended.
221+
</para>
222+
223+
<para>
224+
All PL/TclU functions used in a session execute in the same Tcl
225+
interpreter, which of course is distinct from the interpreter(s)
226+
used for PL/Tcl functions. So global data is automatically shared
227+
between PL/TclU functions. This is not considered a security risk
228+
because all PL/TclU functions execute at the same trust level,
229+
namely that of a database superuser.
230+
</para>
231+
210232
<para>
211233
To help protect PL/Tcl functions from unintentionally interfering
212234
with each other, a global
213235
array is made available to each function via the <function>upvar</>
214236
command. The global name of this variable is the function's internal
215237
name, and the local name is <literal>GD</>. It is recommended that
216238
<literal>GD</> be used
217-
for private data of a function. Use regular Tcl global variables
218-
only for values that you specifically intend to be shared among multiple
219-
functions.
239+
for persistent private data of a function. Use regular Tcl global
240+
variables only for values that you specifically intend to be shared among
241+
multiple functions. (Note that the <literal>GD</> arrays are only
242+
global within a particular interpreter, so they do not bypass the
243+
security restrictions mentioned above.)
220244
</para>
221245

222246
<para>
@@ -648,8 +672,8 @@ CREATE TRIGGER trig_mytab_modcount BEFORE INSERT OR UPDATE ON mytab
648672
exists, the module <literal>unknown</> is fetched from the table
649673
and loaded into the Tcl interpreter immediately before the first
650674
execution of a PL/Tcl function in a database session. (This
651-
happens separately for PL/Tcl and PL/TclU, if both are used,
652-
because separate interpreters are used for the two languages.)
675+
happens separately for each Tcl interpreter, if more than one is
676+
used in a session; see <xref linkend="pltcl-global">.)
653677
</para>
654678
<para>
655679
While the <literal>unknown</> module could actually contain any

doc/src/sgml/release-7.4.sgml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,43 @@
3737

3838
<itemizedlist>
3939

40+
<listitem>
41+
<para>
42+
Use a separate interpreter for each calling SQL userid in PL/Perl and
43+
PL/Tcl (Tom Lane)
44+
</para>
45+
46+
<para>
47+
This change prevents security problems that can be caused by subverting
48+
Perl or Tcl code that will be executed later in the same session under
49+
another SQL user identity (for example, within a <literal>SECURITY
50+
DEFINER</> function). Most scripting languages offer numerous ways that
51+
that might be done, such as redefining standard functions or operators
52+
called by the target function. Without this change, any SQL user with
53+
Perl or Tcl language usage rights can do essentially anything with the
54+
SQL privileges of the target function's owner.
55+
</para>
56+
57+
<para>
58+
The cost of this change is that intentional communication among Perl
59+
and Tcl functions becomes more difficult. To provide an escape hatch,
60+
PL/PerlU and PL/TclU functions continue to use only one interpreter
61+
per session. This is not considered a security issue since all such
62+
functions execute at the trust level of a database superuser already.
63+
</para>
64+
65+
<para>
66+
It is likely that third-party procedural languages that claim to offer
67+
trusted execution have similar security issues. We advise contacting
68+
the authors of any PL you are depending on for security-critical
69+
purposes.
70+
</para>
71+
72+
<para>
73+
Our thanks to Tim Bunce for pointing out this issue (CVE-2010-3433).
74+
</para>
75+
</listitem>
76+
4077
<listitem>
4178
<para>
4279
Prevent possible crashes in <function>pg_get_expr()</> by disallowing

0 commit comments

Comments
 (0)
0