| From: | tgl(at)postgresql(dot)org (Tom Lane) |
|---|---|
| To: | pgsql-committers(at)postgresql(dot)org |
| Subject: | pgsql: Make standard maintenance operations (including VACUUM, ANALYZE, |
| Date: | 2008-01-03 21:25:58 |
| Message-ID: | 20080103212558.EED5D754108@cvs.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Log Message:
-----------
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Tags:
----
REL7_3_STABLE
Modified Files:
--------------
pgsql/doc/src/sgml/ref:
set_session_auth.sgml (r1.7 -> r1.7.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/ref/set_session_auth.sgml?r1=1.7&r2=1.7.2.1)
pgsql/src/backend/access/transam:
xact.c (r1.135.2.4 -> r1.135.2.5)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/access/transam/xact.c?r1=1.135.2.4&r2=1.135.2.5)
pgsql/src/backend/catalog:
index.c (r1.202.2.1 -> r1.202.2.2)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/catalog/index.c?r1=1.202.2.1&r2=1.202.2.2)
pgsql/src/backend/commands:
schemacmds.c (r1.6 -> r1.6.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/schemacmds.c?r1=1.6&r2=1.6.2.1)
vacuum.c (r1.244.2.2 -> r1.244.2.3)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/vacuum.c?r1=1.244.2.2&r2=1.244.2.3)
variable.c (r1.71.2.4 -> r1.71.2.5)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/variable.c?r1=1.71.2.4&r2=1.71.2.5)
pgsql/src/backend/utils/adt:
ri_triggers.c (r1.43.2.5 -> r1.43.2.6)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/adt/ri_triggers.c?r1=1.43.2.5&r2=1.43.2.6)
pgsql/src/backend/utils/fmgr:
fmgr.c (r1.63 -> r1.63.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/fmgr/fmgr.c?r1=1.63&r2=1.63.2.1)
pgsql/src/backend/utils/init:
miscinit.c (r1.96 -> r1.96.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/init/miscinit.c?r1=1.96&r2=1.96.2.1)
pgsql/src/include:
miscadmin.h (r1.111 -> r1.111.2.1)
(http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/miscadmin.h?r1=1.111&r2=1.111.2.1)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-01-03 21:27:59 | pgsql: The original patch to disallow non-passworded connections to |
| Previous Message | Tom Lane | 2008-01-03 21:25:34 | pgsql: Make standard maintenance operations (including VACUUM, ANALYZE, |