Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
2025-08-06 18:42:54 +03:00 · 2008-01-03 21:25:58 +00:00
parent 7146fab2a8
commit 218cf59b60
10 changed files with 209 additions and 92 deletions
--- a/doc/src/sgml/ref/set_session_auth.sgml
+++ b/doc/src/sgml/ref/set_session_auth.sgml
@@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.7 2002/09/21 18:32:54 petere Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.7.2.1 2008/01/03 21:25:58 tgl Exp $ -->
 <refentry id="SQL-SET-SESSION-AUTHORIZATION">
 <docinfo>
  <date>2001-04-21</date>
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION

  <para>
   This command sets the session user identifier and the current user
-   identifier of the current SQL-session context to be
+   identifier of the current SQL session to be
   <parameter>username</parameter>.  The user name may be written as
   either an identifier or a string literal.
   The session user identifier is valid for the duration of a
@@ -39,7 +39,7 @@ RESET SESSION AUTHORIZATION
   The session user identifier is initially set to be the (possibly
   authenticated) user name provided by the client.  The current user
   identifier is normally equal to the session user identifier, but
-   may change temporarily in the context of <quote>setuid</quote>
+   might change temporarily in the context of <literal>SECURITY DEFINER</>
   functions and similar mechanisms.  The current user identifier is
   relevant for permission checking.
  </para>
@@ -65,6 +65,15 @@ RESET SESSION AUTHORIZATION

 </refsect1>

+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <command>SET SESSION AUTHORIZATION</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
+ </refsect1>
+
 <refsect1>
  <title>Examples</title>