database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-15 19:21:59 +03:00
Code Activity

Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

Browse Source 
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600
This commit is contained in:
Tom Lane
2008-01-03 21:23:15 +00:00
parent 98f27aaef3
commit eedb068c0a
13 changed files with 237 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/backend/commands/analyze.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.113 2008/01/01 19:45:48 momjian Exp $
* $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.114 2008/01/03 21:23:15 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -119,6 +119,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
HeapTuple *rows;
PGRUsage ru0;
TimestampTz starttime = 0;
Oid save_userid;
bool save_secdefcxt;
if (vacstmt->verbose)
elevel = INFO;
@ -202,6 +204,18 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
return;
}
ereport(elevel,
(errmsg("analyzing \"%s.%s\"",
get_namespace_name(RelationGetNamespace(onerel)),
RelationGetRelationName(onerel))));
/*
* Switch to the table owner's userid, so that any index functions are
* run as that user.
*/
GetUserIdAndContext(&save_userid, &save_secdefcxt);
SetUserIdAndContext(onerel->rd_rel->relowner, true);
/* let others know what I'm doing */
LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
MyProc->vacuumFlags |= PROC_IN_ANALYZE;
@ -215,11 +229,6 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
starttime = GetCurrentTimestamp();
}
ereport(elevel,
(errmsg("analyzing \"%s.%s\"",
get_namespace_name(RelationGetNamespace(onerel)),
RelationGetRelationName(onerel))));
/*
* Determine which columns to analyze
*
@ -344,9 +353,7 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
onerel->rd_rel->relisshared,
0, 0);
vac_close_indexes(nindexes, Irel, AccessShareLock);
relation_close(onerel, ShareUpdateExclusiveLock);
return;
goto cleanup;
}
/*
@ -466,6 +473,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
totalrows, totaldeadrows);
}
/* We skip to here if there were no analyzable columns */
cleanup:
/* Done with indexes */
vac_close_indexes(nindexes, Irel, NoLock);
@ -498,6 +508,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
MyProc->vacuumFlags &= ~PROC_IN_ANALYZE;
LWLockRelease(ProcArrayLock);
/* Restore userid */
SetUserIdAndContext(save_userid, save_secdefcxt);
}
/*

13
src/backend/commands/schemacmds.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.48 2008/01/01 19:45:49 momjian Exp $
* $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.49 2008/01/03 21:23:15 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -48,9 +48,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
ListCell *parsetree_item;
Oid owner_uid;
Oid saved_uid;
bool saved_secdefcxt;
AclResult aclresult;
saved_uid = GetUserId();
GetUserIdAndContext(&saved_uid, &saved_secdefcxt);
/*
* Who is supposed to own the new schema?
@ -86,11 +87,11 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
* temporarily set the current user so that the object(s) will be created
* with the correct ownership.
*
* (The setting will revert to session user on error or at the end of this
* routine.)
* (The setting will be restored at the end of this routine, or in case
* of error, transaction abort will clean things up.)
*/
if (saved_uid != owner_uid)
SetUserId(owner_uid);
SetUserIdAndContext(owner_uid, true);
/* Create the schema's namespace */
namespaceId = NamespaceCreate(schemaName, owner_uid);
@ -142,7 +143,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
PopOverrideSearchPath();
/* Reset current user */
SetUserId(saved_uid);
SetUserIdAndContext(saved_uid, saved_secdefcxt);
}

15
src/backend/commands/vacuum.c
View File

@ -13,7 +13,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.362 2008/01/01 19:45:49 momjian Exp $
* $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.363 2008/01/03 21:23:15 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -971,6 +971,8 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
Relation onerel;
LockRelId onerelid;
Oid toast_relid;
Oid save_userid;
bool save_secdefcxt;
/* Begin a transaction for vacuuming this relation */
StartTransactionCommand();
@ -1100,6 +1102,14 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
*/
toast_relid = onerel->rd_rel->reltoastrelid;
/*
* Switch to the table owner's userid, so that any index functions are
* run as that user. (This is unnecessary, but harmless, for lazy
* VACUUM.)
*/
GetUserIdAndContext(&save_userid, &save_secdefcxt);
SetUserIdAndContext(onerel->rd_rel->relowner, true);
/*
* Do the actual work --- either FULL or "lazy" vacuum
*/
@ -1108,6 +1118,9 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
else
lazy_vacuum_rel(onerel, vacstmt, vac_strategy);
/* Restore userid */
SetUserIdAndContext(save_userid, save_secdefcxt);
/* all done with this class, but hold lock until commit */
relation_close(onerel, NoLock);

35
src/backend/commands/variable.c
View File

@ -9,7 +9,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.124 2008/01/01 19:45:49 momjian Exp $
* $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.125 2008/01/03 21:23:15 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -717,6 +717,21 @@ assign_session_authorization(const char *value, bool doit, GucSource source)
/* not a saved ID, so look it up */
HeapTuple roleTup;
if (InSecurityDefinerContext())
{
/*
* Disallow SET SESSION AUTHORIZATION inside a security definer
* context. We need to do this because when we exit the context,
* GUC won't be notified, leaving things out of sync. Note that
* this test is positioned so that restoring a previously saved
* setting isn't prevented.
*/
ereport(GUC_complaint_elevel(source),
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("cannot set session authorization within security-definer function")));
return NULL;
}
if (!IsTransactionState())
{
/*
@ -823,6 +838,24 @@ assign_role(const char *value, bool doit, GucSource source)
}
}
if (roleid == InvalidOid && InSecurityDefinerContext())
{
/*
* Disallow SET ROLE inside a security definer context. We need to do
* this because when we exit the context, GUC won't be notified,
* leaving things out of sync. Note that this test is arranged so
* that restoring a previously saved setting isn't prevented.
*
* XXX it would be nice to allow this case in future, with the
* behavior being that the SET ROLE's effects end when the security
* definer context is exited.
*/
ereport(GUC_complaint_elevel(source),
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("cannot set role within security-definer function")));
return NULL;
}
if (roleid == InvalidOid &&
strcmp(actual_rolename, "none") != 0)
{