diff options
| author | Tom Lane | 2008-01-03 21:25:58 +0000 |
|---|---|---|
| committer | Tom Lane | 2008-01-03 21:25:58 +0000 |
| commit | 218cf59b60c526258f14e672000f59496b227639 (patch) | |
| tree | 8fc3f59821ffc9b4e6a68eee35573b2125bb3d79 /src/include/funcapi.h | |
| parent | 7146fab2a8b02ffe9e6c715519d59cc12ca4a57a (diff) | |
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
Diffstat (limited to 'src/include/funcapi.h')
0 files changed, 0 insertions, 0 deletions