Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
Tom Lane <tgl@sss.pgh.pa.us>
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
Files
| Path | Change | +/− |
|---|---|---|
| doc/src/sgml/ref/set_role.sgml | modified | +7 −2 |
| doc/src/sgml/ref/set_session_auth.sgml | modified | +12 −3 |
| doc/src/sgml/ref/show.sgml | modified | +2 −3 |
| src/backend/access/transam/xact.c | modified | +25 −43 |
| src/backend/catalog/index.c | modified | +25 −1 |
| src/backend/commands/analyze.c | modified | +22 −9 |
| src/backend/commands/schemacmds.c | modified | +7 −6 |
| src/backend/commands/vacuum.c | modified | +14 −1 |
| src/backend/commands/variable.c | modified | +34 −1 |
| src/backend/utils/adt/ri_triggers.c | modified | +11 −9 |
| src/backend/utils/fmgr/fmgr.c | modified | +24 −19 |
| src/backend/utils/init/miscinit.c | modified | +50 −27 |
| src/include/miscadmin.h | modified | +4 −3 |