From 218cf59b60c526258f14e672000f59496b227639 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 3 Jan 2008 21:25:58 +0000 Subject: Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600 --- src/backend/commands/schemacmds.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src/backend/commands/schemacmds.c') diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c index 09165d47bd..ba62a54223 100644 --- a/src/backend/commands/schemacmds.c +++ b/src/backend/commands/schemacmds.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.6 2002/09/04 20:31:15 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.6.2.1 2008/01/03 21:25:58 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -43,9 +43,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) const char *owner_name; Oid owner_userid; Oid saved_userid; + bool saved_secdefcxt; AclResult aclresult; - saved_userid = GetUserId(); + GetUserIdAndContext(&saved_userid, &saved_secdefcxt); /* * Figure out user identities. @@ -68,7 +69,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) * (This will revert to session user on error or at the end of * this routine.) */ - SetUserId(owner_userid); + SetUserIdAndContext(owner_userid, true); } else /* not superuser */ @@ -143,7 +144,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt) PopSpecialNamespace(namespaceId); /* Reset current user */ - SetUserId(saved_userid); + SetUserIdAndContext(saved_userid, saved_secdefcxt); } -- cgit v1.2.1