search

MigOpsRepos / credcheck

PostgreSQL plain credential checker
MIT License
57 stars 5 forks source link

credcheck makes postgres crash when trying to define a NULL password #25

Closed ragaoua closed 1 year ago

ragaoua commented 1 year ago

When trying to define a NULL password for a role, I get a message indicating that the instance crashed :

postgres=# CREATE ROLE toto;
CREATE ROLE
postgres=# ALTER ROLE toto PASSWORD NULL;
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
The connection to the server was lost. Attempting reset: Failed.
!?>

I get the same behavior when trying to create a role with a NULL password :

postgres=# CREATE ROLE toto PASSWORD NULL;
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
The connection to the server was lost. Attempting reset: Failed.
!?>

This doesn't happen when credcheck is not loaded in the shared_preload_libraries.

I don't think this "works as designed", as I would rather expected credcheck to, at least, display a message saying that I can't define a NULL password. But that's not the case, plus the documentation says that credcheck allows for creating roles without passwords.

This is the instance logs at the moment the crash happens :

...
2023-09-15 17:43:32 CEST : [],[4217], [5]: [0] ,usr=[postgres], db=[postgres], cli=[[local]], app=[psql], sid=[65047b9b.1079],qid=[0] : LOG:  statement: ALTER ROLE toto PASSWORD NULL;
2023-09-15 17:43:32 CEST : [],[1912], [9]: LOG:  server process (PID 4217) was terminated by signal 11: Segmentation fault
2023-09-15 17:43:32 CEST : [],[1912], [10]: DETAIL:  Failed process was running: ALTER ROLE toto PASSWORD NULL;
2023-09-15 17:43:32 CEST : [],[1912], [11]: LOG:  terminating any other active server processes
...
2023-09-15 17:43:32 CEST : [],[1912], [12]: LOG:  all server processes terminated; reinitializing
2023-09-15 17:43:32 CEST : [],[5076], [1]: LOG:  database system was interrupted; last known up at 2023-09-15 17:43:01 CEST
...
2023-09-15 17:43:32 CEST : [],[5076], [2]: LOG:  database system was not properly shut down; automatic recovery in progress
...
2023-09-15 17:43:32 CEST : [],[1912], [14]: LOG:  database system is ready to accept connections

The "Sementation fault" message makes me think there's some sort of null check that fails to be done on the password somewhere. I've looked in the code but I can't seem to pinpoint exactly what goes wrong and where.

Is this behavior something you have ever encoutered ?

darold commented 1 year ago

Thanks for the report. Commit 6b389c0 fixes this issue.

darold commented 1 year ago

New release v2.2 just released https://github.com/MigOpsRepos/credcheck/releases/tag/v2.2