Fixed server roles except sysadmin should not have membership in data…

…base guest roles (#3184) With this commit we ensure that any fixed server role other than sysadmin should not have membership in databases' guest role. Issues Resolved: BABEL-5408 Signed-off-by: ANJU BHARTI <[email protected]>
babelfish-for-postgresql · Dec 9, 2024 · 0947bbd · 0947bbd
1 parent 06fb237
commit 0947bbd
Show file tree

Hide file tree

Showing 7 changed files with 1,564 additions and 3 deletions.
diff --git a/contrib/babelfishpg_tsql/src/dbcmds.c b/contrib/babelfishpg_tsql/src/dbcmds.c
@@ -1128,7 +1128,8 @@ grant_guest_to_logins(StringInfoData *query)
 		const char *name = NameStr(*(DatumGetName(rolname)));
 		Oid			roleid = get_role_oid(name, false);
 
-		if (!role_is_sa(roleid))
+		/* sa and fixed server roles except sysadmin should not have membership in database guest roles */
+		if (!(role_is_sa(roleid) || ((get_sysadmin_oid() != roleid) && IS_BBF_FIXED_SERVER_ROLE(name))))
 		{
 			logins = lappend(logins, make_rolespec_node(name));
 		}

diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c
@@ -181,8 +181,9 @@ create_bbf_authid_login_ext(CreateRoleStmt *stmt)
 	/* Advance cmd counter to make the insert visible */
 	CommandCounterIncrement();
 
-	/* Grant membership to guests */
-	if (!role_is_sa(roleid))
+	/* Grant membership of guests */
+	/* sa and fixed server roles except sysadmin should not have membership in database guest roles */
+	if (!(role_is_sa(roleid) || ((get_sysadmin_oid() != roleid) && IS_BBF_FIXED_SERVER_ROLE(stmt->role))))
 		grant_guests_to_login(GetUserNameFromId(roleid, false));
 }
 

diff --git a/test/JDBC/expected/dbcreator_role-vu-verify.out b/test/JDBC/expected/dbcreator_role-vu-verify.out
@@ -165,6 +165,12 @@ go
 create user u1 for login dbcreator_login1
 go
 
+use master
+go
+
+grant select on dbcreator_tb1 to guest
+go
+
 -- terminate-tsql-conn
 
 -- tsql user=dbcreator_login1 password=123
@@ -184,6 +190,22 @@ u1
 use master
 go
 
+-- should not be able to select on table
+select current_user
+go
+~~START~~
+varchar
+dbcreator_user1
+~~END~~
+
+
+select * from dbcreator_tb1
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: permission denied for table dbcreator_tb1)~~
+
+
 EXEC sp_renamedb 'dbcreator_db', 'dbcreator_db_1'
 GO
 
@@ -271,6 +293,31 @@ go
 
 -- terminate-tsql-conn
 
+-- psql
+-- should not have membership in database guest role
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'dbcreator'::regrole;
+go
+~~START~~
+regrole#!#regrole
+~~END~~
+
+
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'sysadmin'::regrole
+AND roleid::regrole::text ~ '^(master|msdb|tempdb|dbcreator)_' order by roleid::regrole;
+go
+~~START~~
+regrole#!#regrole
+master_dbo#!#sysadmin
+master_guest#!#sysadmin
+tempdb_dbo#!#sysadmin
+tempdb_guest#!#sysadmin
+msdb_dbo#!#sysadmin
+msdb_guest#!#sysadmin
+dbcreator_db1_dbo#!#sysadmin
+dbcreator_db1_guest#!#sysadmin
+~~END~~
+
+
 -- tsql user=dbcreator_login1 password=123
 -- should be allowed
 EXEC sp_renamedb 'dbcreator_db1', 'dbcreator_db2'
@@ -1186,6 +1233,30 @@ GO
 
 
 -- psql
+-- dbcreator should not have membership in database guest role
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'dbcreator'::regrole;
+go
+~~START~~
+regrole#!#regrole
+~~END~~
+
+
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'sysadmin'::regrole
+AND roleid::regrole::text ~ '^(master|msdb|tempdb|dbcreator)_' order by roleid::regrole;
+go
+~~START~~
+regrole#!#regrole
+master_dbo#!#sysadmin
+master_guest#!#sysadmin
+tempdb_dbo#!#sysadmin
+tempdb_guest#!#sysadmin
+msdb_dbo#!#sysadmin
+msdb_guest#!#sysadmin
+dbcreator_db1_dbo#!#sysadmin
+dbcreator_db1_guest#!#sysadmin
+~~END~~
+
+
 -- normal PG user
 CREATE USER dbcreator_restrictions_pg_user WITH LOGIN CREATEROLE PASSWORD '12345678' inherit;
 go

diff --git a/test/JDBC/expected/securityadmin_role-vu-verify.out b/test/JDBC/expected/securityadmin_role-vu-verify.out
@@ -406,6 +406,14 @@ int
 CREATE EXTENSION IF NOT EXISTS tds_fdw;
 GO
 
+-- securityadmin should not have membership in database guest role
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'securityadmin'::regrole;
+go
+~~START~~
+regrole#!#regrole
+~~END~~
+
+
 -- tsql
 -- Add localhost as linked server
 EXEC sp_addlinkedserver  @server = N'server_4229', @srvproduct=N'', @provider=N'SQLNCLI', @datasrc=N'localhost', @catalog=N'master'
@@ -461,6 +469,15 @@ go
 
 -- terminate-tsql-conn
 
+-- psql
+-- should not have membership in database guest role
+SELECT roleid::regrole, member::regrole FROM pg_auth_members WHERE member = 'securityadmin'::regrole;
+go
+~~START~~
+regrole#!#regrole
+~~END~~
+
+
 -- tsql user=securityadmin_login1 password=123
 -- it should be able to connect to the database
 use securityadmin_db1
@@ -704,6 +721,12 @@ go
 create user no_securityadmin_user1 for login no_securityadmin_login1
 go
 
+use master
+go
+
+GRANT select on securityadmin_tb1 to guest
+go
+
 -- terminate-tsql-conn
 
 -- tsql user=securityadmin_login1 password=123
@@ -739,6 +762,14 @@ securityadmin_user1#!#master
 ~~END~~
 
 
+-- should not be able to select on table
+select * from securityadmin_tb1
+go
+~~ERROR (Code: 33557097)~~
+
+~~ERROR (Message: permission denied for table securityadmin_tb1)~~
+
+
 select suser_name()
 go
 ~~START~~