Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
author: Tom Lane <tgl@sss.pgh.pa.us> 2008-01-03 21:23:15 +0000
committer: Tom Lane <tgl@sss.pgh.pa.us> 2008-01-03 21:23:15 +0000
commit: eedb068c0a7474fb11d67d03b0a9e1ded5df82c4 (patch)
tree: 1e5a19e0970f87fea7d5e2d243d5614318229f79 /doc/src
parent: 98f27aaef34291246c09ce5d0e0fba4f4477467a (diff)
3 files changed, 21 insertions, 8 deletions
diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index d58943fbefe..5b8e1fdfd2c 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.4 2007/01/31 23:26:04 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.5 2008/01/03 21:23:15 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -31,7 +31,7 @@ RESET ROLE
 
   <para>
    This command sets the current user
-   identifier of the current SQL-session context to be <replaceable
+   identifier of the current SQL session to be <replaceable
    class="parameter">rolename</replaceable>.  The role name can be
    written as either an identifier or a string literal.
    After <command>SET ROLE</>, permissions checking for SQL commands
@@ -89,6 +89,11 @@ RESET ROLE
    roles with <command>SET ROLE</> does not change the set of roles
    allowed to a later <command>SET ROLE</>.
   </para>
+
+  <para>
+   <command>SET ROLE</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
  </refsect1>
 
  <refsect1>
diff --git a/doc/src/sgml/ref/set_session_auth.sgml b/doc/src/sgml/ref/set_session_auth.sgml
index 315aec14e7c..f21c58f98ea 100644
--- a/doc/src/sgml/ref/set_session_auth.sgml
+++ b/doc/src/sgml/ref/set_session_auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.16 2007/01/31 23:26:04 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.17 2008/01/03 21:23:15 tgl Exp $ -->
 <refentry id="SQL-SET-SESSION-AUTHORIZATION">
  <refmeta>
   <refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION
 
   <para>
    This command sets the session user identifier and the current user
-   identifier of the current SQL-session context to be <replaceable
+   identifier of the current SQL session to be <replaceable
    class="parameter">username</replaceable>.  The user name can be
    written as either an identifier or a string literal.  Using this
    command, it is possible, for example, to temporarily become an
@@ -38,7 +38,7 @@ RESET SESSION AUTHORIZATION
    The session user identifier is initially set to be the (possibly
    authenticated) user name provided by the client.  The current user
    identifier is normally equal to the session user identifier, but
-   might change temporarily in the context of <quote>setuid</quote>
+   might change temporarily in the context of <literal>SECURITY DEFINER</>
    functions and similar mechanisms; it can also be changed by
    <xref linkend="sql-set-role" endterm="sql-set-role-title">.
    The current user identifier is relevant for permission checking.
@@ -65,6 +65,15 @@ RESET SESSION AUTHORIZATION
  </refsect1>
 
  <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <command>SET SESSION AUTHORIZATION</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
+ </refsect1>
+
+ <refsect1>
   <title>Examples</title>
 
 <programlisting>
diff --git a/doc/src/sgml/ref/show.sgml b/doc/src/sgml/ref/show.sgml
index 14ddd6744f8..ebd1acee35a 100644
--- a/doc/src/sgml/ref/show.sgml
+++ b/doc/src/sgml/ref/show.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/show.sgml,v 1.44 2007/09/26 22:36:30 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/show.sgml,v 1.45 2008/01/03 21:23:15 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -104,8 +104,7 @@ SHOW ALL
         <term><literal>IS_SUPERUSER</literal></term>
         <listitem>
          <para>
-          True if the current session authorization identifier has
-          superuser privileges.
+          True if the current role has superuser privileges.
          </para>
         </listitem>
        </varlistentry>
author	Tom Lane <tgl@sss.pgh.pa.us>	2008-01-03 21:23:15 +0000
committer	Tom Lane <tgl@sss.pgh.pa.us>	2008-01-03 21:23:15 +0000
commit	eedb068c0a7474fb11d67d03b0a9e1ded5df82c4 (patch)
tree	1e5a19e0970f87fea7d5e2d243d5614318229f79 /doc/src
parent	98f27aaef34291246c09ce5d0e0fba4f4477467a (diff)