Make relation-enumerating operations be security-restricted operations.
Noah Misch <noah@leadboat.com>
Make relation-enumerating operations be security-restricted operations. When a feature enumerates relations and runs functions associated with all found relations, the feature's user shall not need to trust every user having permission to create objects. BRIN-specific functionality in autovacuum neglected to account for this, as did pg_amcheck and CLUSTER. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under the identity of the bootstrap superuser. CREATE INDEX (not a relation-enumerating operation) and REINDEX protected themselves too late. This change extends to the non-enumerating amcheck interface. Back-patch to v10 (all supported versions). Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin. Reported by Alexander Lakhin. Security: CVE-2022-1552
Files
| Path | Change | +/− |
|---|---|---|
| contrib/amcheck/expected/check_btree.out | modified | +23 −0 |
| contrib/amcheck/sql/check_btree.sql | modified | +21 −0 |
| contrib/amcheck/verify_nbtree.c | modified | +27 −0 |
| src/backend/access/brin/brin.c | modified | +28 −1 |
| src/backend/catalog/index.c | modified | +51 −14 |
| src/backend/commands/cluster.c | modified | +26 −11 |
| src/backend/commands/indexcmds.c | modified | +85 −13 |
| src/backend/utils/init/miscinit.c | modified | +15 −9 |
| src/test/regress/expected/privileges.out | modified | +55 −0 |
| src/test/regress/sql/privileges.sql | modified | +47 −0 |