From eedb068c0a7474fb11d67d03b0a9e1ded5df82c4 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 3 Jan 2008 21:23:15 +0000 Subject: Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600 --- src/backend/commands/schemacmds.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'src/backend/commands/schemacmds.c') diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c index 91a7ce9270..d77294ccc2 100644 --- a/src/backend/commands/schemacmds.c +++ b/src/backend/commands/schemacmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.48 2008/01/01 19:45:49 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.49 2008/01/03 21:23:15 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -48,9 +48,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString) ListCell *parsetree_item; Oid owner_uid; Oid saved_uid; + bool saved_secdefcxt; AclResult aclresult; - saved_uid = GetUserId(); + GetUserIdAndContext(&saved_uid, &saved_secdefcxt); /* * Who is supposed to own the new schema? @@ -86,11 +87,11 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString) * temporarily set the current user so that the object(s) will be created * with the correct ownership. * - * (The setting will revert to session user on error or at the end of this - * routine.) + * (The setting will be restored at the end of this routine, or in case + * of error, transaction abort will clean things up.) */ if (saved_uid != owner_uid) - SetUserId(owner_uid); + SetUserIdAndContext(owner_uid, true); /* Create the schema's namespace */ namespaceId = NamespaceCreate(schemaName, owner_uid); @@ -142,7 +143,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString) PopOverrideSearchPath(); /* Reset current user */ - SetUserId(saved_uid); + SetUserIdAndContext(saved_uid, saved_secdefcxt); } -- cgit v1.2.1