Ban role pg_signal_backend from more superuser backend types.

Documentation says it cannot signal "a backend owned by a superuser".
On the contrary, it could signal background workers, including the
logical replication launcher.  It could signal autovacuum workers and
the autovacuum launcher.  Block all that.  Signaling autovacuum workers
and those two launchers doesn't stall progress beyond what one could
achieve other ways.  If a cluster uses a non-core extension with a
background worker that does not auto-restart, this could create a denial
of service with respect to that background worker.  A background worker
with bugs in its code for responding to terminations or cancellations
could experience those bugs at a time the pg_signal_backend member
chooses.  Back-patch to v11 (all supported versions).

Reviewed by Jelte Fennema-Nio.  Reported by Hemanth Sandrana and
Mahendrakar Srinivasarao.

Security: CVE-2023-5870

diff --git a/src/backend/storage/ipc/signalfuncs.c b/src/backend/storage/ipc/signalfuncs.c
index ade8d713aae2eb64c2887dbc0af4ceb0eb36c4d4..a2ff02baf62516c0eaf0e0db27b3cfc84af7e766 100644 (file)
--- a/src/backend/storage/ipc/signalfuncs.c
+++ b/src/backend/storage/ipc/signalfuncs.c
@@ -68,8 +68,13 @@ pg_signal_backend(int pid, int sig)
                return SIGNAL_BACKEND_ERROR;
        }
 
-       /* Only allow superusers to signal superuser-owned backends. */
-       if (superuser_arg(proc->roleId) && !superuser())
+       /*
+        * Only allow superusers to signal superuser-owned backends.  Any process
+        * not advertising a role might have the importance of a superuser-owned
+        * backend, so treat it that way.
+        */
+       if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) &&
+               !superuser())
                return SIGNAL_BACKEND_NOSUPERUSER;
 
        /* Users can signal backends they have role membership in. */

diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 706c55ba6593d2b75fe1463e9bbd0e28009e2e58..41cd8c22cc45b833f85a91de5aa1d74f9f3e2911 100644 (file)
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -1713,6 +1713,24 @@ SELECT * FROM pg_largeobject LIMIT 0;
 SET SESSION AUTHORIZATION regress_priv_user1;
 SELECT * FROM pg_largeobject LIMIT 0;                  -- to be denied
 ERROR:  permission denied for table pg_largeobject
+-- pg_signal_backend can't signal superusers
+RESET SESSION AUTHORIZATION;
+BEGIN;
+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
+       LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
+BEGIN
+       RETURN pg_terminate_backend($1);
+EXCEPTION WHEN OTHERS THEN
+       RETURN false;
+END$$;
+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
+SELECT backend_type FROM pg_stat_activity
+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
+ backend_type 
+--------------
+(0 rows)
+
+ROLLBACK;
 -- test default ACLs
 \c -
 CREATE SCHEMA testns;

diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c0b88a6fe40c43e857493b60cafe646a39dab485..213e233a6859fa42f9b38b1e58fc38843d8dc463 100644 (file)
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -1053,6 +1053,21 @@ SELECT * FROM pg_largeobject LIMIT 0;
 SET SESSION AUTHORIZATION regress_priv_user1;
 SELECT * FROM pg_largeobject LIMIT 0;                  -- to be denied
 
+-- pg_signal_backend can't signal superusers
+RESET SESSION AUTHORIZATION;
+BEGIN;
+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
+       LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
+BEGIN
+       RETURN pg_terminate_backend($1);
+EXCEPTION WHEN OTHERS THEN
+       RETURN false;
+END$$;
+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
+SELECT backend_type FROM pg_stat_activity
+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
+ROLLBACK;
+
 -- test default ACLs
 \c -