diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:23:45 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:23:45 +0000 |
| commit | 3af35f8d40bede09c4fe976050ff402dc346dbf2 (patch) | |
| tree | c91e4271dd0c01688da04733af50e83f9f43a635 /src/backend/commands/vacuum.c | |
| parent | 0f8fe9bed141e78bbce03f4517fdc5a6e35665c9 (diff) | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/backend/commands/vacuum.c')
| -rw-r--r-- | src/backend/commands/vacuum.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 304cc325d38..e3f9367f028 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -13,7 +13,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.3 2007/06/14 13:54:28 alvherre Exp $ + * $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.4 2008/01/03 21:23:45 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -959,6 +959,8 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind) Relation onerel; LockRelId onerelid; Oid toast_relid; + Oid save_userid; + bool save_secdefcxt; /* Begin a transaction for vacuuming this relation */ StartTransactionCommand(); @@ -1087,6 +1089,14 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind) toast_relid = onerel->rd_rel->reltoastrelid; /* + * Switch to the table owner's userid, so that any index functions are + * run as that user. (This is unnecessary, but harmless, for lazy + * VACUUM.) + */ + GetUserIdAndContext(&save_userid, &save_secdefcxt); + SetUserIdAndContext(onerel->rd_rel->relowner, true); + + /* * Tell the cache replacement strategy that vacuum is causing all * following IO */ @@ -1102,6 +1112,9 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind) StrategyHintVacuum(false); + /* Restore userid */ + SetUserIdAndContext(save_userid, save_secdefcxt); + /* all done with this class, but hold lock until commit */ relation_close(onerel, NoLock); |