From 46cf9c260d11d7288769de4917aa1d86b52d1e91 Mon Sep 17 00:00:00 2001
From: Tom Lane
Date: Thu, 3 Jan 2008 21:24:26 +0000
Subject: Make standard maintenance operations (including VACUUM, ANALYZE,
REINDEX, and CLUSTER) execute as the table owner rather than the calling
user, using the same privilege-switching mechanism already used for SECURITY
DEFINER functions. The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance. While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading
sensitive information and broadcasting it through a covert channel such as
CPU usage.
To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.
Thanks to Itagaki Takahiro for reporting this vulnerability.
Security: CVE-2007-6600
---
doc/src/sgml/ref/set_role.sgml | 9 +++++++--
doc/src/sgml/ref/set_session_auth.sgml | 15 ++++++++++++---
doc/src/sgml/ref/show.sgml | 5 ++---
3 files changed, 21 insertions(+), 8 deletions(-)
(limited to 'doc/src')
diff --git a/doc/src/sgml/ref/set_role.sgml b/doc/src/sgml/ref/set_role.sgml
index e4b57743a4d..9a3571f08da 100644
--- a/doc/src/sgml/ref/set_role.sgml
+++ b/doc/src/sgml/ref/set_role.sgml
@@ -1,5 +1,5 @@
@@ -31,7 +31,7 @@ RESET ROLE
This command sets the current user
- identifier of the current SQL-session context to be rolename. The role name may be
written as either an identifier or a string literal.
After SET ROLE, permissions checking for SQL commands
@@ -89,6 +89,11 @@ RESET ROLE
roles with SET ROLE does not change the set of roles
allowed to a later SET ROLE.
+
+
+ SET ROLE cannot be used within a
+ SECURITY DEFINER function.
+
diff --git a/doc/src/sgml/ref/set_session_auth.sgml b/doc/src/sgml/ref/set_session_auth.sgml
index 56642c15354..8352b669270 100644
--- a/doc/src/sgml/ref/set_session_auth.sgml
+++ b/doc/src/sgml/ref/set_session_auth.sgml
@@ -1,4 +1,4 @@
-
+
SET SESSION AUTHORIZATION
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION
This command sets the session user identifier and the current user
- identifier of the current SQL-session context to be username. The user name may be
written as either an identifier or a string literal. Using this
command, it is possible, for example, to temporarily become an
@@ -38,7 +38,7 @@ RESET SESSION AUTHORIZATION
The session user identifier is initially set to be the (possibly
authenticated) user name provided by the client. The current user
identifier is normally equal to the session user identifier, but
- may change temporarily in the context of setuid
+ might change temporarily in the context of SECURITY DEFINER
functions and similar mechanisms; it can also be changed by
.
The current user identifier is relevant for permission checking.
@@ -64,6 +64,15 @@ RESET SESSION AUTHORIZATION
+
+ Notes
+
+
+ SET SESSION AUTHORIZATION cannot be used within a
+ SECURITY DEFINER function.
+
+
+
Examples
diff --git a/doc/src/sgml/ref/show.sgml b/doc/src/sgml/ref/show.sgml
index 843c13756bb..fa988798610 100644
--- a/doc/src/sgml/ref/show.sgml
+++ b/doc/src/sgml/ref/show.sgml
@@ -1,5 +1,5 @@
@@ -104,8 +104,7 @@ SHOW ALL
IS_SUPERUSER
- True if the current session authorization identifier has
- superuser privileges.
+ True if the current role has superuser privileges.
--
cgit v1.2.3