diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
| commit | 46cf9c260d11d7288769de4917aa1d86b52d1e91 (patch) | |
| tree | 20941a29aa9d777bb0ecf53082034d756934da74 /src/backend/utils/fmgr/fmgr.c | |
| parent | 8b1de3b515b80e86dbef5fcbcc29e5e3256de779 (diff) | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/backend/utils/fmgr/fmgr.c')
| -rw-r--r-- | src/backend/utils/fmgr/fmgr.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/backend/utils/fmgr/fmgr.c b/src/backend/utils/fmgr/fmgr.c index f380ad428d0..48a5b0bf654 100644 --- a/src/backend/utils/fmgr/fmgr.c +++ b/src/backend/utils/fmgr/fmgr.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.97.2.2 2007/07/31 15:50:01 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.97.2.3 2008/01/03 21:24:26 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -784,6 +784,7 @@ fmgr_security_definer(PG_FUNCTION_ARGS) FmgrInfo *save_flinfo; struct fmgr_security_definer_cache *volatile fcache; Oid save_userid; + bool save_secdefcxt; HeapTuple tuple; if (!fcinfo->flinfo->fn_extra) @@ -809,26 +810,32 @@ fmgr_security_definer(PG_FUNCTION_ARGS) else fcache = fcinfo->flinfo->fn_extra; + GetUserIdAndContext(&save_userid, &save_secdefcxt); + SetUserIdAndContext(fcache->userid, true); + + /* + * We don't need to restore the userid settings on error, because the + * ensuing xact or subxact abort will do that. The PG_TRY block is only + * needed to clean up the flinfo link. + */ save_flinfo = fcinfo->flinfo; - save_userid = GetUserId(); PG_TRY(); { fcinfo->flinfo = &fcache->flinfo; - SetUserId(fcache->userid); result = FunctionCallInvoke(fcinfo); } PG_CATCH(); { fcinfo->flinfo = save_flinfo; - SetUserId(save_userid); PG_RE_THROW(); } PG_END_TRY(); fcinfo->flinfo = save_flinfo; - SetUserId(save_userid); + + SetUserIdAndContext(save_userid, save_secdefcxt); return result; } |