From eaabaa7e045874b8b5ec158368e2b5403f5fc69c Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Fri, 20 Apr 2007 02:38:46 +0000 Subject: Support explicit placement of the temporary-table schema within search_path. This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, a malicious user can use temporary objects to execute code with the privileges of the security-definer function. Even pushing the temp schema to the back of the search path is not quite good enough, because a function or operator at the back of the path might still capture control from one nearer the front due to having a more exact datatype match. Hence, disable searching the temp schema altogether for functions and operators. Security: CVE-2007-2138 --- doc/src/sgml/ref/create_function.sgml | 50 ++++++++++++++++++++++++++++++- doc/src/sgml/release.sgml | 55 +++++++++++++++++++++++++++++++---- doc/src/sgml/runtime.sgml | 16 +++++++--- 3 files changed, 110 insertions(+), 11 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml index 26c066cd52f..42553f52203 100644 --- a/doc/src/sgml/ref/create_function.sgml +++ b/doc/src/sgml/ref/create_function.sgml @@ -1,5 +1,5 @@ @@ -382,6 +382,54 @@ CREATE FUNCTION add(integer, integer) RETURNS integer + + Writing <literal>SECURITY DEFINER</literal> Functions Safely + + + Because a SECURITY DEFINER function is executed + with the privileges of the user that created it, care is needed to + ensure that the function cannot be misused. For security, + should be set to exclude any schemas + writable by untrusted users. This prevents + malicious users from creating objects that mask objects used by the + function. Particularly important is in this regard is the + temporary-table schema, which is searched first by default, and + is normally writable by anyone. A secure arrangement can be had + by forcing the temporary schema to be searched last. To do this, + write pg_temp as the last entry in search_path. + This function illustrates safe usage: + + + +CREATE FUNCTION check_password(TEXT, TEXT) +RETURNS BOOLEAN AS ' +DECLARE passed BOOLEAN; + old_path TEXT; +BEGIN + -- Save old search_path; notice we must qualify current_setting + -- to ensure we invoke the right function + old_path := pg_catalog.current_setting(''search_path''); + + -- Set a secure search_path: trusted schemas, then ''pg_temp''. + -- We set is_local = true so that the old value will be restored + -- in event of an error before we reach the function end. + PERFORM pg_catalog.set_config(''search_path'', ''admin, pg_temp'', true); + + -- Do whatever secure work we came for. + SELECT (pwd = $2) INTO passed + FROM pwds + WHERE username = $1; + + -- Restore caller''s search_path + PERFORM pg_catalog.set_config(''search_path'', old_path, true); + + RETURN passed; +END; +' LANGUAGE plpgsql SECURITY DEFINER; + + + + Compatibility diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml index b1aac7d1377..8f375baf399 100644 --- a/doc/src/sgml/release.sgml +++ b/doc/src/sgml/release.sgml @@ -1,5 +1,5 @@ @@ -14,7 +14,8 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.235.2.52 2007/04/19 13:01: - This release contains a variety of fixes from 7.4.16. + This release contains fixes from 7.4.16, + including a security fix. @@ -35,13 +36,37 @@ $Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.235.2.52 2007/04/19 13:01: - /contrib/tsearch2 fixes (Teodor) + Support explicit placement of the temporary-table schema within + search_path, and disable searching it for functions + and operators (Tom) + + + This is needed to allow a security-definer function to set a + truly secure value of search_path. Without it, + an unprivileged SQL user can use temporary objects to execute code + with the privileges of the security-definer function (CVE-2007-2138). + See for more information. + + + + + + /contrib/tsearch2 crash fixes (Teodor) + + + + + + Fix potential-data-corruption bug in how VACUUM FULL handles + UPDATE chains (Tom, Pavan Deolasee) - Fix bug in how VACUUM FULL handles UPDATE chains (Tom, Pavan Deolasee) + Fix PANIC during enlargement of a hash index (bug introduced in 7.4.15) + (Tom) @@ -3174,7 +3199,8 @@ DROP SCHEMA information_schema CASCADE; - This release contains a variety of fixes from 7.3.18. + This release contains fixes from 7.3.18, + including a security fix. @@ -3195,7 +3221,24 @@ DROP SCHEMA information_schema CASCADE; - Fix bug in how VACUUM FULL handles UPDATE chains (Tom, Pavan Deolasee) + Support explicit placement of the temporary-table schema within + search_path, and disable searching it for functions + and operators (Tom) + + + This is needed to allow a security-definer function to set a + truly secure value of search_path. Without it, + an unprivileged SQL user can use temporary objects to execute code + with the privileges of the security-definer function (CVE-2007-2138). + See for more information. + + + + + + Fix potential-data-corruption bug in how VACUUM FULL handles + UPDATE chains (Tom, Pavan Deolasee) diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 91b59d0f86a..58aa9650bc7 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ @@ -1980,9 +1980,17 @@ SET ENABLE_SEQSCAN TO OFF; mentioned in the path then it will be searched in the specified order. If pg_catalog is not in the path then it will be searched before searching any of the path items. - It should also be noted that the temporary-table schema, - pg_temp_nnn, is implicitly searched before any of - these. + + + + Likewise, the current session's temporary-table schema, + pg_temp_nnn, is always searched if it + exists. It can be explicitly listed in the path by using the + alias pg_temp. If it is not listed in the path then + it is searched first (before even pg_catalog). However, + the temporary schema is only searched for relation (table, view, + sequence, etc) and data type names. It will never be searched for + function or operator names. -- cgit v1.2.3