Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

Tom Lane <tgl@sss.pgh.pa.us>

Commit: 230d5cfc4739bc4963c8d67e4a7cd84abe53ef93
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2008-01-03T21:25:34Z
Releases: 7.4.19
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

Files