Skip site navigation (1) Skip section navigation (2)

Serious problem within authentication subsystem in 7.0

From: Matt Sullivan <matt(at)sullivan(dot)gen(dot)nz>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Serious problem within authentication subsystem in 7.0
Date: 2000-05-23 00:12:24
Message-ID: Pine.LNX.3.96.1000523112819.23023A-100000@feta.sullivan.gen.nz (view raw or flat)
Thread:
Lists: pgsql-hackers
Hi,

Ok, I know the mailing list web page states: YOU MUST TRY ELSEWHERE FIRST! and
this should, technically speaking, be reported as a bug however given that the
security implications are potentially severe I thought here would be best in
the first instance.

I have only briefly looked into this problem as I have just now discovered it. 
Essentially, in our environment, we require password authentication as a
defacto.  However it appears that once a user has authenticated with the
backend it is possible for that user to trivially assume root dba privileges or
privileges of any other dba user.

To demonstrate the problem: 

Consider two systems: 

  pgsqlserver   192.168.1.1    - backend system
  pgsqlclient   192.168.1.2    - client system
  
Our pg_hba.conf (on pgsqlserver) now looks something similar to: 

  local   all                                     password
  host    all     127.0.0.1       255.255.255.255 password
  host    all     192.168.1.2     255.255.255.255 password

Now making connections from pgsqlclient (192.168.1.2) would require password
authentication.  To show that this works, entering an incorrect passwd...

  pgsqlclient:/home/matt 11:33am > psql -h pgsqlserver -U matt matt
  Password: 
  psql: Password authentication failed for user 'matt'

Now a correct password: 

  pgsqlclient:/home/matt 11:36am > psql -h pgsqlserver -U matt matt
  Password: 
  Welcome to psql, the PostgreSQL interactive terminal.
  
  Type:  \copyright for distribution terms
         \h for help with SQL commands
         \? for help on internal slash commands
         \g or terminate with semicolon to execute query
         \q to quit
  
  matt=> 

Ok, so at the top level password authentication works, now to the problem... 

Once authenticated it is possible to trivially assume another users identity
without further authentication e.g. 

  matt=> \c template1 postgres
  You are now connected to database template1 as user postgres.
  template1=# 

Or, assume any other users identity: 

  matt=> \c www www
  You are now connected to database www as user www.
  www=> 

Ouch. 

I have not tested to see if this is specific to the password authentication
method or a general problem relating to any of the supported methods and I have
limited time to investigate this at the moment.

Is there anyone who specifically maintains the authentication subsystem that I
could communicate with directly?  I would be interested to offer whatever
assistance I can. 


Regards,
Matt.


Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2000-05-23 00:23:18
Subject: Re: Proposal for enhancements of privilege system
Previous:From: Tom LaneDate: 2000-05-23 00:00:44
Subject: Re: Proposal for enhancements of privilege system

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group