Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

Tom Lane <tgl@sss.pgh.pa.us>

Commit: eedb068c0a7474fb11d67d03b0a9e1ded5df82c4
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: 2008-01-03T21:23:15Z
Releases: 8.3.0
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

Files