database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-14 18:42:34 +03:00
Code Activity

Make relation-enumerating operations be security-restricted operations.

Browse Source 
When a feature enumerates relations and runs functions associated with
all found relations, the feature's user shall not need to trust every
user having permission to create objects.  BRIN-specific functionality
in autovacuum neglected to account for this, as did pg_amcheck and
CLUSTER.  An attacker having permission to create non-temp objects in at
least one schema could execute arbitrary SQL functions under the
identity of the bootstrap superuser.  CREATE INDEX (not a
relation-enumerating operation) and REINDEX protected themselves too
late.  This change extends to the non-enumerating amcheck interface.
Back-patch to v10 (all supported versions).

Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.
Reported by Alexander Lakhin.

Security: CVE-2022-1552
This commit is contained in:
Noah Misch
2022-05-09 08:35:08 -07:00
parent f45f8b7ff3
commit a117cebd63
10 changed files with 378 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
src/backend/commands/cluster.c
View File

@ -310,6 +310,9 @@ void
cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
{
Relation OldHeap;
Oid save_userid;
int save_sec_context;
int save_nestlevel;
bool verbose = ((params->options & CLUOPT_VERBOSE) != 0);
bool recheck = ((params->options & CLUOPT_RECHECK) != 0);
@ -339,6 +342,16 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
return;
}
/*
* Switch to the table owner's userid, so that any index functions are run
* as that user. Also lock down security-restricted operations and
* arrange to make GUC variable changes local to this command.
*/
GetUserIdAndSecContext(&save_userid, &save_sec_context);
SetUserIdAndSecContext(OldHeap->rd_rel->relowner,
save_sec_context | SECURITY_RESTRICTED_OPERATION);
save_nestlevel = NewGUCNestLevel();
/*
* Since we may open a new transaction for each relation, we have to check
* that the relation still is what we think it is.
@ -350,11 +363,10 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
if (recheck)
{
/* Check that the user still owns the relation */
if (!pg_class_ownercheck(tableOid, GetUserId()))
if (!pg_class_ownercheck(tableOid, save_userid))
{
relation_close(OldHeap, AccessExclusiveLock);
pgstat_progress_end_command();
return;
goto out;
}
/*
@ -369,8 +381,7 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
if (RELATION_IS_OTHER_TEMP(OldHeap))
{
relation_close(OldHeap, AccessExclusiveLock);
pgstat_progress_end_command();
return;
goto out;
}
if (OidIsValid(indexOid))
@ -381,8 +392,7 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
if (!SearchSysCacheExists1(RELOID, ObjectIdGetDatum(indexOid)))
{
relation_close(OldHeap, AccessExclusiveLock);
pgstat_progress_end_command();
return;
goto out;
}
/*
@ -393,8 +403,7 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
!get_index_isclustered(indexOid))
{
relation_close(OldHeap, AccessExclusiveLock);
pgstat_progress_end_command();
return;
goto out;
}
}
}
@ -447,8 +456,7 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
!RelationIsPopulated(OldHeap))
{
relation_close(OldHeap, AccessExclusiveLock);
pgstat_progress_end_command();
return;
goto out;
}
Assert(OldHeap->rd_rel->relkind == RELKIND_RELATION ||
@ -468,6 +476,13 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)
/* NB: rebuild_relation does table_close() on OldHeap */
out:
/* Roll back any GUC changes executed by index functions */
AtEOXact_GUC(false, save_nestlevel);
/* Restore userid and security context */
SetUserIdAndSecContext(save_userid, save_sec_context);
pgstat_progress_end_command();
}