Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

src/backend/commands/analyze.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101 2006/11/05 22:42:08 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.101.2.1 2008/01/03 21:23:45 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -109,6 +109,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 	double		totalrows,
 				totaldeadrows;
 	HeapTuple  *rows;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	if (vacstmt->verbose)
 		elevel = INFO;
@@ -195,6 +197,13 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 					get_namespace_name(RelationGetNamespace(onerel)),
 					RelationGetRelationName(onerel))));
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
 	/*
 	 * Determine which columns to analyze
 	 *
@@ -319,9 +328,7 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 								  onerel->rd_rel->relisshared,
 								  0, 0);
 
-		vac_close_indexes(nindexes, Irel, AccessShareLock);
-		relation_close(onerel, ShareUpdateExclusiveLock);
-		return;
+		goto cleanup;
 	}
 
 	/*
@@ -441,6 +448,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 							  totalrows, totaldeadrows);
 	}
 
+	/* We skip to here if there were no analyzable columns */
+cleanup:
+
 	/* Done with indexes */
 	vac_close_indexes(nindexes, Irel, NoLock);
 
@@ -451,6 +461,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 	 * expose us to concurrent-update failures in update_attstats.)
 	 */
 	relation_close(onerel, NoLock);
+
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 }
 
 /*

src/backend/commands/schemacmds.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.41 2006/07/13 16:49:14 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.41.2.1 2008/01/03 21:23:45 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -47,9 +47,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	ListCell   *parsetree_item;
 	Oid			owner_uid;
 	Oid			saved_uid;
+	bool		saved_secdefcxt;
 	AclResult	aclresult;
 
-	saved_uid = GetUserId();
+	GetUserIdAndContext(&saved_uid, &saved_secdefcxt);
 
 	/*
 	 * Who is supposed to own the new schema?
@@ -85,11 +86,11 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	 * temporarily set the current user so that the object(s) will be created
 	 * with the correct ownership.
 	 *
-	 * (The setting will revert to session user on error or at the end of this
-	 * routine.)
+	 * (The setting will be restored at the end of this routine, or in case
+	 * of error, transaction abort will clean things up.)
 	 */
 	if (saved_uid != owner_uid)
-		SetUserId(owner_uid);
+		SetUserIdAndContext(owner_uid, true);
 
 	/* Create the schema's namespace */
 	namespaceId = NamespaceCreate(schemaName, owner_uid);
@@ -141,7 +142,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	PopSpecialNamespace(namespaceId);
 
 	/* Reset current user */
-	SetUserId(saved_uid);
+	SetUserIdAndContext(saved_uid, saved_secdefcxt);
 }
 
 

src/backend/commands/vacuum.c

@@ -13,7 +13,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.3 2007/06/14 13:54:28 alvherre Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.342.2.4 2008/01/03 21:23:45 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -959,6 +959,8 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	Relation	onerel;
 	LockRelId	onerelid;
 	Oid			toast_relid;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	/* Begin a transaction for vacuuming this relation */
 	StartTransactionCommand();
@@ -1086,6 +1088,14 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	 */
 	toast_relid = onerel->rd_rel->reltoastrelid;
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.  (This is unnecessary, but harmless, for lazy
+	 * VACUUM.)
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
 	/*
 	 * Tell the cache replacement strategy that vacuum is causing all
 	 * following IO
@@ -1102,6 +1112,9 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 
 	StrategyHintVacuum(false);
 
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
+
 	/* all done with this class, but hold lock until commit */
 	relation_close(onerel, NoLock);
 

src/backend/commands/variable.c

@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.119 2006/10/04 00:29:52 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.119.2.1 2008/01/03 21:23:45 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -620,6 +620,22 @@ assign_session_authorization(const char *value, bool doit, GucSource source)
 		/* not a saved ID, so look it up */
 		HeapTuple	roleTup;
 
+		if (InSecurityDefinerContext())
+		{
+			/*
+			 * Disallow SET SESSION AUTHORIZATION inside a security definer
+			 * context.  We need to do this because when we exit the context,
+			 * GUC won't be notified, leaving things out of sync.  Note that
+			 * this test is positioned so that restoring a previously saved
+			 * setting isn't prevented.
+			 */
+			if (source >= PGC_S_INTERACTIVE)
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("cannot set session authorization within security-definer function")));
+			return NULL;
+		}
+
 		if (!IsTransactionState())
 		{
 			/*
@@ -727,6 +743,25 @@ assign_role(const char *value, bool doit, GucSource source)
 		}
 	}
 
+	if (roleid == InvalidOid && InSecurityDefinerContext())
+	{
+		/*
+		 * Disallow SET ROLE inside a security definer context.  We need to do
+		 * this because when we exit the context, GUC won't be notified,
+		 * leaving things out of sync.  Note that this test is arranged so
+		 * that restoring a previously saved setting isn't prevented.
+		 *
+		 * XXX it would be nice to allow this case in future, with the
+		 * behavior being that the SET ROLE's effects end when the security
+		 * definer context is exited.
+		 */
+		if (source >= PGC_S_INTERACTIVE)
+			ereport(ERROR,
+					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					 errmsg("cannot set role within security-definer function")));
+		return NULL;
+	}
+
 	if (roleid == InvalidOid &&
 		strcmp(actual_rolename, "none") != 0)
 	{