diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2008-01-03 21:24:26 +0000 |
| commit | 46cf9c260d11d7288769de4917aa1d86b52d1e91 (patch) | |
| tree | 20941a29aa9d777bb0ecf53082034d756934da74 /src/include/miscadmin.h | |
| parent | 8b1de3b515b80e86dbef5fcbcc29e5e3256de779 (diff) | |
| download | postgresql-46cf9c260d11d7288769de4917aa1d86b52d1e91.tar.gz postgresql-46cf9c260d11d7288769de4917aa1d86b52d1e91.zip | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/include/miscadmin.h')
| -rw-r--r-- | src/include/miscadmin.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h index b7050bb35fe..7a9a5690265 100644 --- a/src/include/miscadmin.h +++ b/src/include/miscadmin.h @@ -13,7 +13,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.183.2.1 2005/11/22 18:23:27 momjian Exp $ + * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.183.2.2 2008/01/03 21:24:26 tgl Exp $ * * NOTES * some of the information in this file should be moved to other files. @@ -229,12 +229,13 @@ extern void SetDatabasePath(const char *path); extern char *GetUserNameFromId(Oid roleid); extern Oid GetUserId(void); -extern void SetUserId(Oid userid); extern Oid GetOuterUserId(void); extern Oid GetSessionUserId(void); +extern void GetUserIdAndContext(Oid *userid, bool *sec_def_context); +extern void SetUserIdAndContext(Oid userid, bool sec_def_context); +extern bool InSecurityDefinerContext(void); extern void InitializeSessionUserId(const char *rolename); extern void InitializeSessionUserIdStandalone(void); -extern void AtAbort_UserId(void); extern void SetSessionAuthorization(Oid userid, bool is_superuser); extern Oid GetCurrentRoleId(void); extern void SetCurrentRoleId(Oid roleid, bool is_superuser); |