database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-27 23:21:58 +03:00
Code Activity

Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

Browse Source 
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600
This commit is contained in:
Tom Lane
2008-01-03 21:23:15 +00:00
parent 98f27aaef3
commit eedb068c0a
13 changed files with 237 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/backend/commands/schemacmds.c
View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.48 2008/01/01 19:45:49 momjian Exp $
* $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.49 2008/01/03 21:23:15 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -48,9 +48,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
ListCell *parsetree_item;
Oid owner_uid;
Oid saved_uid;
bool saved_secdefcxt;
AclResult aclresult;
saved_uid = GetUserId();
GetUserIdAndContext(&saved_uid, &saved_secdefcxt);
/*
* Who is supposed to own the new schema?
@ -86,11 +87,11 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
* temporarily set the current user so that the object(s) will be created
* with the correct ownership.
*
* (The setting will revert to session user on error or at the end of this
* routine.)
* (The setting will be restored at the end of this routine, or in case
* of error, transaction abort will clean things up.)
*/
if (saved_uid != owner_uid)
SetUserId(owner_uid);
SetUserIdAndContext(owner_uid, true);
/* Create the schema's namespace */
namespaceId = NamespaceCreate(schemaName, owner_uid);
@ -142,7 +143,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
PopOverrideSearchPath();
/* Reset current user */
SetUserId(saved_uid);
SetUserIdAndContext(saved_uid, saved_secdefcxt);
}