EXECUTE Grant is not required to execute functions #103842

data-matt · 2023-05-24T15:23:46Z

Describe the problem

EXECUTE Grant is not required to run an UDF.

To Reproduce

 CREATE FUNCTION function_test.test.my_add(a INT, b INT) RETURNS INT IMMUTABLE LEAKPROOF LANGUAGE SQL AS 'SELECT a + b';
-- As user2, execute the function
select function_test.test.my_add(1,2);
  my_add
----------
       3
(1 row)

revoke execute on function function_test.test.my_add from tester;
-- try again after revoke, still works
select function_test.test.my_add(1,2);
  my_add
----------
       3
(1 row)

 SELECT rolname FROM pg_catalog.pg_proc f                                                                                                     JOIN pg_catalog.pg_roles r ON f.proowner = r.oid                                                                                                                                 WHERE proname = 'my_add';
     rolname
------------------
  function_owner
(1 row)

select function_test.test.my_add(1,2);
  my_add
----------
       3

Expected behavior
Users can only use the function when granted/they have the privilege/they have inherited the privilege or they are the owner.

Afflicted versions 22.2+ (Please backport).

Jira issue: CRDB-28228

The text was updated successfully, but these errors were encountered:

data-matt · 2023-05-24T16:37:33Z

For those concerned about access to underlying table data, the function does respect SELECT grant.

Example here:

root@localhost:26257/function_test> create table t1 ( c1 int );
root@localhost:26257/function_test> insert into t1 values ( 0 ) ;
root@localhost:26257/function_test> create function test_select () returns int language sql as 'select c1 from t1';
root@localhost:26257/function_test> set role tester;
root@localhost:26257/function_test> select test_select();

ERROR: user tester does not have SELECT privilege on relation t1
SQLSTATE: 42501

mgartner · 2023-06-01T20:17:37Z

@data-matt The example you posted behaves identically to Postgres. I'll try to come up with a working reproduction of the issue.

rafiss · 2023-06-01T20:26:00Z

Probably because of this:

PostgreSQL grants privileges on some types of objects to PUBLIC by default when the objects are created. No privileges are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large objects, schemas, tablespaces, or configuration parameters. For other types of objects, the default privileges granted to PUBLIC are as follows: CONNECT and TEMPORARY (create temporary tables) privileges for databases; EXECUTE privilege for functions and procedures; and USAGE privilege for languages and data types (including domains). The object owner can, of course, REVOKE both default and expressly granted privileges.

As part of this fix, we should also add an explicit grant to public for functions that are created.

Here's a repro in PG:

postgres=# create user tester;

postgres=# create schema test;

postgres=# grant usage on schema test to tester;

postgres=#  CREATE FUNCTION test.my_add(a INT, b INT) RETURNS INT IMMUTABLE LEAKPROOF LANGUAGE SQL AS 'SELECT a + b';

postgres=# revoke execute on function test.my_add from public;

postgres=# set role tester;

postgres=> select test.my_add(1,2);
ERROR:  42501: permission denied for function my_add
LOCATION:  aclcheck_error, aclchk.c:3449

rafiss · 2023-06-01T20:29:52Z

I just realized that backporting the fix to enforce EXECUTE privileges is going to be disruptive. Since we weren't giving public the EXECUTE privilege, it means if we backport that change, then queries that previously would work could start getting privilege errors. So for the backport, we'll probably need a cluster setting that's named something like sql.auth.enforce_execute_privilege.enabled and it should be false in the backport.

rafiss · 2023-07-12T05:45:43Z

I think this also means that we should write an upgrade step that does GRANT EXECUTE ON <func> TO public during the upgrade to 23.2 for each user-defined-function.

107317: sql: functions have EXECUTE priv for public by default r=rafiss a=rafiss This uses the default privilege infrastructure in a similar way to how the USAGE privilege for types is given to `public` by default. This also fixes a display bug that was preventing the ALL privileges that are given to root and admin from being shown in SHOW. informs #103842 A complete fix for that issue may also require an upgrade migration to give existing functions the EXECUTE privilege for public. Release note (sql change): The public pseudo-role now receives the EXECUTE privilege by default for all user-defined functions that are created. This can be adjusted by using ALTER DEFAULT PRIVILEGES. Co-authored-by: Rafi Shamim <[email protected]>

mgartner · 2023-07-25T19:25:51Z

I just realized that backporting the fix to enforce EXECUTE privileges is going to be disruptive. Since we weren't giving public the EXECUTE privilege, it means if we backport that change, then queries that previously would work could start getting privilege errors. So for the backport, we'll probably need a cluster setting that's named something like sql.auth.enforce_execute_privilege.enabled and it should be false in the backport.

Should we just not backport?

I think this also means that we should write an upgrade step that does GRANT EXECUTE ON TO public during the upgrade to 23.2 for each user-defined-function.

Is this something the foundations team can do?

Informs cockroachdb#103842 Release note (bug fix): A bug has been fixed that allowed users to execute a user-defined function without having EXECUTE privileges on the function. This bug has been present since version 22.2 when UDFs were introduced.

EXECUTE privileges are now correctly checked for each user-defined function referenced in a query. Informs cockroachdb#103842 Release note (bug fix): A bug has been fixed that allowed users to execute a user-defined function without having EXECUTE privileges on the function. This bug has been present since version 22.2 when UDFs were introduced.

107587: sql: fix EXECUTE privileges for UDFs r=mgartner a=mgartner #### sql: fix EXECUTE privileges for UDFs Informs #103842 Release note (bug fix): A bug has been fixed that allowed users to execute a user-defined function without having EXECUTE privileges on the function. This bug has been present since version 22.2 when UDFs were introduced. #### upgrades: adds upgrade granting EXECUTE to public role for all functions This commit adds an upgrade that grants EXECUTE privileges to the public role for all existing functions. This matches the behavior of `CREATE FUNCTION` which automatically adds this privilege as of #107317. Release note: None #### catpb: document `UserPrivilege.WithGrantOption` Release note: None 110866: tenantrate: update default rate_limit to -400 r=andy-kimball a=andy-kimball Previously, the default tenant rate limit was a relative value of -200, meaning that a single tenant is allowed to use up to ~20% of a KV node's CPU. This change updates that to -400, because experience has shown that it provides better tenant burst performance while still providing sufficiently predictable performance, given today's host cluster sizes and utilization. Fixes: https://cockroachlabs.atlassian.net/browse/CC-25687 Release note: None 110910: storage: limit number of replicated lock conflicts returned by mutations r=nvanbenschoten a=nvanbenschoten Closes #110902. This commit limits the number of replicated lock conflicts returned by locking and mutation operations during evaluation to the value of the `storage.mvcc.max_conflicts_per_lock_conflict_error` cluster setting. Release note: None Co-authored-by: Marcus Gartner <[email protected]> Co-authored-by: Andrew Kimball <[email protected]> Co-authored-by: Nathan VanBenschoten <[email protected]>

mgartner · 2023-09-22T16:12:25Z

I believe this is now completed. The fixes are far too invasive to backport, unfortunately.

data-matt added the C-bug Code not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior. label May 24, 2023

data-matt assigned mgartner May 24, 2023

blathers-crl bot added the T-sql-queries SQL Queries Team label May 24, 2023

mgartner added A-sql-routine UDFs and Stored Procedures and removed T-sql-queries SQL Queries Team labels May 24, 2023

rafiss mentioned this issue Jul 20, 2023

sql: functions have EXECUTE priv for public by default #107317

Merged

mgartner added this to SQL Queries Jul 24, 2023

mgartner moved this to Active in SQL Queries Jul 24, 2023

mgartner mentioned this issue Jul 25, 2023

sql: fix EXECUTE privileges for UDFs #107587

Merged

mgartner closed this as completed Sep 22, 2023

github-project-automation bot moved this from Active to Done in SQL Queries Sep 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

EXECUTE Grant is not required to execute functions #103842

EXECUTE Grant is not required to execute functions #103842

data-matt commented May 24, 2023 •

edited

Loading

data-matt commented May 24, 2023

mgartner commented Jun 1, 2023

rafiss commented Jun 1, 2023

rafiss commented Jun 1, 2023

rafiss commented Jul 12, 2023

mgartner commented Jul 25, 2023

mgartner commented Sep 22, 2023

EXECUTE Grant is not required to execute functions #103842

EXECUTE Grant is not required to execute functions #103842

Comments

data-matt commented May 24, 2023 • edited Loading

data-matt commented May 24, 2023

mgartner commented Jun 1, 2023

rafiss commented Jun 1, 2023

rafiss commented Jun 1, 2023

rafiss commented Jul 12, 2023

mgartner commented Jul 25, 2023

mgartner commented Sep 22, 2023

data-matt commented May 24, 2023 •

edited

Loading