git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Tom Lane <tgl@sss.pgh.pa.us>
	Thu, 3 Jan 2008 21:25:34 +0000 (21:25 +0000)
committer	Tom Lane <tgl@sss.pgh.pa.us>
	Thu, 3 Jan 2008 21:25:34 +0000 (21:25 +0000)
commit	230d5cfc4739bc4963c8d67e4a7cd84abe53ef93
tree	0fa8d138ed251e873bd55a4e7b402fbdd9f57488	tree
parent	0776cb2116f4eaec743f1e304c1255c318a20d1f	commit \| diff

Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

doc/src/sgml/ref/set_session_auth.sgml		diff \| blob \| blame \| history
src/backend/access/transam/xact.c		diff \| blob \| blame \| history
src/backend/catalog/index.c		diff \| blob \| blame \| history
src/backend/commands/schemacmds.c		diff \| blob \| blame \| history
src/backend/commands/vacuum.c		diff \| blob \| blame \| history
src/backend/commands/variable.c		diff \| blob \| blame \| history
src/backend/utils/adt/ri_triggers.c		diff \| blob \| blame \| history
src/backend/utils/fmgr/fmgr.c		diff \| blob \| blame \| history
src/backend/utils/init/miscinit.c		diff \| blob \| blame \| history
src/include/miscadmin.h		diff \| blob \| blame \| history