From 108b19d8609af994f8fa69cd0d8e15a2807a1367 Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Thu, 3 Jan 2008 21:25:00 +0000
Subject: Make standard maintenance operations (including VACUUM, ANALYZE,
 REINDEX, and CLUSTER) execute as the table owner rather than the calling
 user, using the same privilege-switching mechanism already used for SECURITY
 DEFINER functions.  The purpose of this change is to ensure that user-defined
 functions used in index definitions cannot acquire the privileges of a
 superuser account that is performing routine maintenance.  While a function
 used in an index is supposed to be IMMUTABLE and thus not able to do anything
 very interesting, there are several easy ways around that restriction; and
 even if we could plug them all, there would remain a risk of reading
 sensitive information and broadcasting it through a covert channel such as
 CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600
---
 doc/src/sgml/ref/set_session_auth.sgml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/ref/set_session_auth.sgml b/doc/src/sgml/ref/set_session_auth.sgml
index 7014b8d2ab3..568aee19b36 100644
--- a/doc/src/sgml/ref/set_session_auth.sgml
+++ b/doc/src/sgml/ref/set_session_auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.12 2003/11/29 19:51:39 pgsql Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.12.4.1 2008/01/03 21:25:00 tgl Exp $ -->
 <refentry id="SQL-SET-SESSION-AUTHORIZATION">
  <refmeta>
   <refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION
 
   <para>
    This command sets the session user identifier and the current user
-   identifier of the current SQL-session context to be <replaceable
+   identifier of the current SQL session to be <replaceable
    class="parameter">username</replaceable>.  The user name may be
    written as either an identifier or a string literal.  Using this
    command, it is possible, for example, to temporarily become an
@@ -38,7 +38,7 @@ RESET SESSION AUTHORIZATION
    The session user identifier is initially set to be the (possibly
    authenticated) user name provided by the client.  The current user
    identifier is normally equal to the session user identifier, but
-   may change temporarily in the context of <quote>setuid</quote>
+   might change temporarily in the context of <literal>SECURITY DEFINER</>
    functions and similar mechanisms.  The current user identifier is
    relevant for permission checking.
   </para>
@@ -63,6 +63,15 @@ RESET SESSION AUTHORIZATION
   </para>
  </refsect1>
 
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <command>SET SESSION AUTHORIZATION</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
+ </refsect1>
+
  <refsect1>
   <title>Examples</title>
 
-- 
cgit v1.2.3