diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
| commit | 46cf9c260d11d7288769de4917aa1d86b52d1e91 (patch) | |
| tree | 20941a29aa9d777bb0ecf53082034d756934da74 /src/backend/commands/schemacmds.c | |
| parent | 8b1de3b515b80e86dbef5fcbcc29e5e3256de779 (diff) | |
| download | postgresql-46cf9c260d11d7288769de4917aa1d86b52d1e91.tar.gz postgresql-46cf9c260d11d7288769de4917aa1d86b52d1e91.zip | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/backend/commands/schemacmds.c')
| -rw-r--r-- | src/backend/commands/schemacmds.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c index 56a3359a532..957d50d7fa7 100644 --- a/src/backend/commands/schemacmds.c +++ b/src/backend/commands/schemacmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.35 2005/10/15 02:49:15 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.35.2.1 2008/01/03 21:24:26 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -44,9 +44,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) ListCell *parsetree_item; Oid owner_uid; Oid saved_uid; + bool saved_secdefcxt; AclResult aclresult; - saved_uid = GetUserId(); + GetUserIdAndContext(&saved_uid, &saved_secdefcxt); /* * Who is supposed to own the new schema? @@ -82,11 +83,11 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) * temporarily set the current user so that the object(s) will be created * with the correct ownership. * - * (The setting will revert to session user on error or at the end of this - * routine.) + * (The setting will be restored at the end of this routine, or in case + * of error, transaction abort will clean things up.) */ if (saved_uid != owner_uid) - SetUserId(owner_uid); + SetUserIdAndContext(owner_uid, true); /* Create the schema's namespace */ namespaceId = NamespaceCreate(schemaName, owner_uid); @@ -138,7 +139,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) PopSpecialNamespace(namespaceId); /* Reset current user */ - SetUserId(saved_uid); + SetUserIdAndContext(saved_uid, saved_secdefcxt); } |