mirror of
https://github.com/postgres/postgres.git
synced 2025-08-12 15:23:02 +03:00
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136
This commit is contained in:
Tom Lane
@@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.80.4.1 2008/01/03 21:25:00 tgl Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.80.4.2 2009/12/09 21:58:54 tgl Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "utils/builtins.h"
|
||||
#include "utils/datum.h"
|
||||
#include "utils/fmgroids.h"
|
||||
#include "utils/guc.h"
|
||||
#include "utils/lsyscache.h"
|
||||
#include "utils/syscache.h"
|
||||
#include "utils/tuplesort.h"
|
||||
@@ -111,7 +112,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
|
||||
double totalrows;
|
||||
HeapTuple *rows;
|
||||
AclId save_userid;
|
||||
bool save_secdefcxt;
|
||||
int save_sec_context;
|
||||
int save_nestlevel;
|
||||
|
||||
if (vacstmt->verbose)
|
||||
elevel = INFO;
|
||||
@@ -202,11 +204,14 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
|
||||
RelationGetRelationName(onerel))));
|
||||
|
||||
/*
|
||||
* Switch to the table owner's userid, so that any index functions are
|
||||
* run as that user.
|
||||
* Switch to the table owner's userid, so that any index functions are run
|
||||
* as that user. Also lock down security-restricted operations and
|
||||
* arrange to make GUC variable changes local to this command.
|
||||
*/
|
||||
GetUserIdAndContext(&save_userid, &save_secdefcxt);
|
||||
SetUserIdAndContext(onerel->rd_rel->relowner, true);
|
||||
GetUserIdAndSecContext(&save_userid, &save_sec_context);
|
||||
SetUserIdAndSecContext(onerel->rd_rel->relowner,
|
||||
save_sec_context | SECURITY_RESTRICTED_OPERATION);
|
||||
save_nestlevel = NewGUCNestLevel();
|
||||
|
||||
/*
|
||||
* Determine which columns to analyze
|
||||
@@ -444,8 +449,11 @@ cleanup:
|
||||
*/
|
||||
relation_close(onerel, NoLock);
|
||||
|
||||
/* Restore userid */
|
||||
SetUserIdAndContext(save_userid, save_secdefcxt);
|
||||
/* Roll back any GUC changes executed by index functions */
|
||||
AtEOXact_GUC(false, save_nestlevel);
|
||||
|
||||
/* Restore userid and security context */
|
||||
SetUserIdAndSecContext(save_userid, save_sec_context);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user