From 5f9e88b260a492fb755f823541a5b2581e5d0d29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philip=20Dub=C3=A9?= Date: Tue, 27 Aug 2019 17:08:26 +0000 Subject: [PATCH] multi_multiuser: test that worker_merge_files_and_query doesn't allow privilege escalation --- src/test/regress/expected/multi_multiuser.out | 21 +++++++++++++++---- .../regress/expected/multi_multiuser_0.out | 19 ++++++++++++++--- src/test/regress/sql/multi_multiuser.sql | 12 +++++++++++ 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/src/test/regress/expected/multi_multiuser.out b/src/test/regress/expected/multi_multiuser.out index bd4eb312f..3a85444bd 100644 --- a/src/test/regress/expected/multi_multiuser.out +++ b/src/test/regress/expected/multi_multiuser.out @@ -402,7 +402,7 @@ INSERT INTO full_access_user_schema.t1 VALUES (1),(2),(3); -- not allowed to create a table SELECT create_distributed_table('full_access_user_schema.t1', 'id'); ERROR: permission denied for schema full_access_user_schema -CONTEXT: while executing command on localhost:57638 +CONTEXT: while executing command on localhost:57637 RESET ROLE; -- now we distribute the table as super user SELECT create_distributed_table('full_access_user_schema.t1', 'id'); @@ -536,7 +536,7 @@ ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_0000 -- different user should not be able to fetch partition file SET ROLE usage_access; SELECT worker_fetch_partition_file(42, 1, 1, 1, 'localhost', :worker_1_port); -WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.18007": No such file or directory +WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.17981": No such file or directory CONTEXT: while executing command on localhost:57637 ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_00001" from localhost:57637 -- only the user whom created the files should be able to fetch @@ -575,7 +575,7 @@ RESET ROLE; -- test that the super user is unable to read the contents of the intermediate file, -- although it does create the table SELECT worker_merge_files_into_table(42, 1, ARRAY['a'], ARRAY['integer']); -WARNING: Task file "task_000001.18003" does not have expected suffix ".10" +WARNING: Task file "task_000001.17977" does not have expected suffix ".10" worker_merge_files_into_table ------------------------------- @@ -617,7 +617,7 @@ SELECT worker_merge_files_and_run_query(42, 1, 'CREATE TABLE task_000001_merge(merge_column_0 int)', 'CREATE TABLE task_000001 (a) AS SELECT sum(merge_column_0) FROM task_000001_merge' ); -WARNING: Task file "task_000001.18003" does not have expected suffix ".10" +WARNING: Task file "task_000001.17977" does not have expected suffix ".10" worker_merge_files_and_run_query ---------------------------------- @@ -647,6 +647,19 @@ SELECT worker_merge_files_and_run_query(42, 1, (1 row) +-- test that owner of task cannot execute arbitrary sql +SELECT worker_merge_files_and_run_query(42, 1, + 'CREATE TABLE task_000002_merge(merge_column_0 int)', + 'DROP USER usage_access' +); +ERROR: permission denied to drop role +CONTEXT: SQL statement "DROP USER usage_access" +SELECT worker_merge_files_and_run_query(42, 1, + 'DROP USER usage_access', + 'CREATE TABLE task_000002 (a) AS SELECT sum(merge_column_0) FROM task_000002_merge' +); +ERROR: permission denied to drop role +CONTEXT: SQL statement "DROP USER usage_access" SELECT count(*) FROM pg_merge_job_0042.task_000001_merge; count ------- diff --git a/src/test/regress/expected/multi_multiuser_0.out b/src/test/regress/expected/multi_multiuser_0.out index 9759d0fe6..0264ac8ca 100644 --- a/src/test/regress/expected/multi_multiuser_0.out +++ b/src/test/regress/expected/multi_multiuser_0.out @@ -536,7 +536,7 @@ ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_0000 -- different user should not be able to fetch partition file SET ROLE usage_access; SELECT worker_fetch_partition_file(42, 1, 1, 1, 'localhost', :worker_1_port); -WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.18058": No such file or directory +WARNING: could not open file "base/pgsql_job_cache/job_0042/task_000001/p_00001.18007": No such file or directory CONTEXT: while executing command on localhost:57637 ERROR: could not receive file "base/pgsql_job_cache/job_0042/task_000001/p_00001" from localhost:57637 -- only the user whom created the files should be able to fetch @@ -575,7 +575,7 @@ RESET ROLE; -- test that the super user is unable to read the contents of the intermediate file, -- although it does create the table SELECT worker_merge_files_into_table(42, 1, ARRAY['a'], ARRAY['integer']); -WARNING: Task file "task_000001.18054" does not have expected suffix ".10" +WARNING: Task file "task_000001.18003" does not have expected suffix ".10" worker_merge_files_into_table ------------------------------- @@ -617,7 +617,7 @@ SELECT worker_merge_files_and_run_query(42, 1, 'CREATE TABLE task_000001_merge(merge_column_0 int)', 'CREATE TABLE task_000001 (a) AS SELECT sum(merge_column_0) FROM task_000001_merge' ); -WARNING: Task file "task_000001.18054" does not have expected suffix ".10" +WARNING: Task file "task_000001.18003" does not have expected suffix ".10" worker_merge_files_and_run_query ---------------------------------- @@ -647,6 +647,19 @@ SELECT worker_merge_files_and_run_query(42, 1, (1 row) +-- test that owner of task cannot execute arbitrary sql +SELECT worker_merge_files_and_run_query(42, 1, + 'CREATE TABLE task_000002_merge(merge_column_0 int)', + 'DROP USER usage_access' +); +ERROR: permission denied to drop role +CONTEXT: SQL statement "DROP USER usage_access" +SELECT worker_merge_files_and_run_query(42, 1, + 'DROP USER usage_access', + 'CREATE TABLE task_000002 (a) AS SELECT sum(merge_column_0) FROM task_000002_merge' +); +ERROR: permission denied to drop role +CONTEXT: SQL statement "DROP USER usage_access" SELECT count(*) FROM pg_merge_job_0042.task_000001_merge; count ------- diff --git a/src/test/regress/sql/multi_multiuser.sql b/src/test/regress/sql/multi_multiuser.sql index 6ed300ae2..4ce88471d 100644 --- a/src/test/regress/sql/multi_multiuser.sql +++ b/src/test/regress/sql/multi_multiuser.sql @@ -411,6 +411,18 @@ SELECT worker_merge_files_and_run_query(42, 1, 'CREATE TABLE task_000001_merge(merge_column_0 int)', 'CREATE TABLE task_000001 (a) AS SELECT sum(merge_column_0) FROM task_000001_merge' ); + +-- test that owner of task cannot execute arbitrary sql +SELECT worker_merge_files_and_run_query(42, 1, + 'CREATE TABLE task_000002_merge(merge_column_0 int)', + 'DROP USER usage_access' +); + +SELECT worker_merge_files_and_run_query(42, 1, + 'DROP USER usage_access', + 'CREATE TABLE task_000002 (a) AS SELECT sum(merge_column_0) FROM task_000002_merge' +); + SELECT count(*) FROM pg_merge_job_0042.task_000001_merge; SELECT count(*) FROM pg_merge_job_0042.task_000001; DROP TABLE pg_merge_job_0042.task_000001, pg_merge_job_0042.task_000001_merge; -- drop table so we can reuse the same files for more tests