From 3af35f8d40bede09c4fe976050ff402dc346dbf2 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 3 Jan 2008 21:23:45 +0000 Subject: Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600 --- src/backend/commands/analyze.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'src/backend/commands/analyze.c') diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index 95410258d34..233345c1c47 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101 2006/11/05 22:42:08 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101.2.1 2008/01/03 21:23:45 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -109,6 +109,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt) double totalrows, totaldeadrows; HeapTuple *rows; + Oid save_userid; + bool save_secdefcxt; if (vacstmt->verbose) elevel = INFO; @@ -195,6 +197,13 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt) get_namespace_name(RelationGetNamespace(onerel)), RelationGetRelationName(onerel)))); + /* + * Switch to the table owner's userid, so that any index functions are + * run as that user. + */ + GetUserIdAndContext(&save_userid, &save_secdefcxt); + SetUserIdAndContext(onerel->rd_rel->relowner, true); + /* * Determine which columns to analyze * @@ -319,9 +328,7 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt) onerel->rd_rel->relisshared, 0, 0); - vac_close_indexes(nindexes, Irel, AccessShareLock); - relation_close(onerel, ShareUpdateExclusiveLock); - return; + goto cleanup; } /* @@ -441,6 +448,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt) totalrows, totaldeadrows); } + /* We skip to here if there were no analyzable columns */ +cleanup: + /* Done with indexes */ vac_close_indexes(nindexes, Irel, NoLock); @@ -451,6 +461,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt) * expose us to concurrent-update failures in update_attstats.) */ relation_close(onerel, NoLock); + + /* Restore userid */ + SetUserIdAndContext(save_userid, save_secdefcxt); } /* -- cgit v1.2.3