This is an automated email from the ASF dual-hosted git repository.
reshke pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudberry.git
The following commit(s) were added to refs/heads/main by this push:
new e03c66deb04 Backport: Ban role pg_signal_backend from more superuser
backend types. (#1504)
e03c66deb04 is described below
commit e03c66deb049941615358e7f501da33ab673ec17
Author: reshke <[email protected]>
AuthorDate: Tue Feb 17 15:40:33 2026 +0500
Backport: Ban role pg_signal_backend from more superuser backend types.
(#1504)
Cherry-picked from
https://git.postgresql.org/cgit/postgresql.git/commit/?id=3a9b18b3095366cd0c4305441d426d04572d88c1
Apache Cloudberry changes reviewed by Andrey Borodin and Max Yang.
Documentation says it cannot signal "a backend owned by a superuser".
On the contrary, it could signal background workers, including the
logical replication launcher. It could signal autovacuum workers and
the autovacuum launcher. Block all that. Signaling autovacuum workers
and those two launchers doesn't stall progress beyond what one could
achieve other ways. If a cluster uses a non-core extension with a
background worker that does not auto-restart, this could create a denial
of service with respect to that background worker. A background worker
with bugs in its code for responding to terminations or cancellations
could experience those bugs at a time the pg_signal_backend member
chooses. Back-patch to v11 (all supported versions).
Reviewed by Jelte Fennema-Nio. Reported by Hemanth Sandrana and
Mahendrakar Srinivasarao.
Security: CVE-2023-5870
Co-authored-by: Noah Misch <[email protected]>
---
src/backend/storage/ipc/signalfuncs.c | 37 +++++++-------------------------
src/test/regress/expected/privileges.out | 18 ++++++++++++++++
src/test/regress/sql/privileges.sql | 15 +++++++++++++
3 files changed, 41 insertions(+), 29 deletions(-)
diff --git a/src/backend/storage/ipc/signalfuncs.c
b/src/backend/storage/ipc/signalfuncs.c
index 753b94752d3..7f8e420a6a5 100644
--- a/src/backend/storage/ipc/signalfuncs.c
+++ b/src/backend/storage/ipc/signalfuncs.c
@@ -52,7 +52,6 @@ static int
pg_signal_backend(int pid, int sig, char *msg)
{
PGPROC *proc = BackendPidGetProc(pid);
- LocalPgBackendStatus *local_beentry;
/*
* BackendPidGetProc returns NULL if the pid isn't valid; but by the
time
@@ -73,34 +72,14 @@ pg_signal_backend(int pid, int sig, char *msg)
return SIGNAL_BACKEND_ERROR;
}
- local_beentry = pgstat_fetch_stat_local_beentry_by_pid(pid);
-
- /* Only allow superusers to signal superuser-owned backends. */
- if (superuser_arg(proc->roleId) && !superuser())
- {
- Oid role;
- char * appname;
-
- if (local_beentry == NULL) {
- return SIGNAL_BACKEND_NOSUPERUSER;
- }
-
- role = get_role_oid("mdb_admin", true /*if nodoby created
mdb_admin role in this database*/);
- appname = local_beentry->backendStatus.st_appname;
-
- // only allow mdb_admin to kill su queries
- if (!is_member_of_role(GetUserId(), role)) {
- return SIGNAL_BACKEND_NOSUPERUSER;
- }
-
- if (local_beentry->backendStatus.st_backendType ==
B_AUTOVAC_WORKER) {
- // ok
- } else if (appname != NULL && strcmp(appname, "MDB") == 0) {
- // ok
- } else {
- return SIGNAL_BACKEND_NOSUPERUSER;
- }
- }
+ /*
+ * Only allow superusers to signal superuser-owned backends. Any
process
+ * not advertising a role might have the importance of a superuser-owned
+ * backend, so treat it that way.
+ */
+ if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) &&
+ !superuser())
+ return SIGNAL_BACKEND_NOSUPERUSER;
/* Users can signal backends they have role membership in. */
if (!has_privs_of_role(GetUserId(), proc->roleId) &&
diff --git a/src/test/regress/expected/privileges.out
b/src/test/regress/expected/privileges.out
index b9dfc3116ef..aa81504d8f0 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -1986,6 +1986,24 @@ TABLE information_schema.enabled_roles;
INSERT INTO datdba_only DEFAULT VALUES;
ERROR: permission denied for table datdba_only
+ROLLBACK;
+-- pg_signal_backend can't signal superusers
+RESET SESSION AUTHORIZATION;
+BEGIN;
+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
+ LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
+BEGIN
+ RETURN pg_terminate_backend($1);
+EXCEPTION WHEN OTHERS THEN
+ RETURN false;
+END$$;
+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
+SELECT backend_type FROM pg_stat_activity
+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
+ backend_type
+--------------
+(0 rows)
+
ROLLBACK;
-- test default ACLs
\c -
diff --git a/src/test/regress/sql/privileges.sql
b/src/test/regress/sql/privileges.sql
index 02300dd5b7f..2e6242a379a 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -1208,6 +1208,21 @@ TABLE information_schema.enabled_roles;
INSERT INTO datdba_only DEFAULT VALUES;
ROLLBACK;
+-- pg_signal_backend can't signal superusers
+RESET SESSION AUTHORIZATION;
+BEGIN;
+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
+ LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
+BEGIN
+ RETURN pg_terminate_backend($1);
+EXCEPTION WHEN OTHERS THEN
+ RETURN false;
+END$$;
+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
+SELECT backend_type FROM pg_stat_activity
+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
+ROLLBACK;
+
-- test default ACLs
\c -
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
