Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600
author: Tom Lane 2008-01-03 21:25:58 +0000
committer: Tom Lane 2008-01-03 21:25:58 +0000
commit: a60e6a0fcec97d7fbec98739d96cfd14dd3fb71b (patch)
tree: b7ee7e8b875d64b12bd65d7927013655ea87b80a /src/backend/commands/variable.c
parent: f3f5d4dd5b342a1f7b27375eb2a27be2963ef0b0 (diff)
1 files changed, 33 insertions, 0 deletions
diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c
index f45a0c6237..aca1f77a95 100644
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@@ -717,6 +717,21 @@ assign_session_authorization(const char *value, bool doit, GucSource source)
 		/* not a saved ID, so look it up */
 		HeapTuple	roleTup;
 
+		if (InSecurityDefinerContext())
+		{
+			/*
+			 * Disallow SET SESSION AUTHORIZATION inside a security definer
+			 * context.  We need to do this because when we exit the context,
+			 * GUC won't be notified, leaving things out of sync.  Note that
+			 * this test is positioned so that restoring a previously saved
+			 * setting isn't prevented.
+			 */
+			ereport(GUC_complaint_elevel(source),
+					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+					 errmsg("cannot set session authorization within security-definer function")));
+			return NULL;
+		}
+
 		if (!IsTransactionState())
 		{
 			/*
@@ -823,6 +838,24 @@ assign_role(const char *value, bool doit, GucSource source)
 		}
 	}
 
+	if (roleid == InvalidOid && InSecurityDefinerContext())
+	{
+		/*
+		 * Disallow SET ROLE inside a security definer context.  We need to do
+		 * this because when we exit the context, GUC won't be notified,
+		 * leaving things out of sync.  Note that this test is arranged so
+		 * that restoring a previously saved setting isn't prevented.
+		 *
+		 * XXX it would be nice to allow this case in future, with the
+		 * behavior being that the SET ROLE's effects end when the security
+		 * definer context is exited.
+		 */
+		ereport(GUC_complaint_elevel(source),
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+				 errmsg("cannot set role within security-definer function")));
+		return NULL;
+	}
+
 	if (roleid == InvalidOid &&
 		strcmp(actual_rolename, "none") != 0)
 	{
author	Tom Lane	2008-01-03 21:25:58 +0000
committer	Tom Lane	2008-01-03 21:25:58 +0000
commit	a60e6a0fcec97d7fbec98739d96cfd14dd3fb71b (patch)
tree	b7ee7e8b875d64b12bd65d7927013655ea87b80a /src/backend/commands/variable.c
parent	f3f5d4dd5b342a1f7b27375eb2a27be2963ef0b0 (diff)