pgsql: Empty search_path in Autovacuum and non-psql/pgbench clients.

From: Noah Misch <noah(at)leadboat(dot)com>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Empty search_path in Autovacuum and non-psql/pgbench clients.
Date: 2018-02-26 15:42:30
Message-ID: E1eqKv8-000695-W5@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

Empty search_path in Autovacuum and non-psql/pgbench clients.

This makes the client programs behave as documented regardless of the
connect-time search_path and regardless of user-created objects. Today,
a malicious user with CREATE permission on a search_path schema can take
control of certain of these clients' queries and invoke arbitrary SQL
functions under the client identity, often a superuser. This is
exploitable in the default configuration, where all users have CREATE
privilege on schema "public".

This changes behavior of user-defined code stored in the database, like
pg_index.indexprs and pg_extension_config_dump(). If they reach code
bearing unqualified names, "does not exist" or "no schema has been
selected to create in" errors might appear. Users may fix such errors
by schema-qualifying affected names. After upgrading, consider watching
server logs for these errors.

The --table arguments of src/bin/scripts clients have been lax; for
example, "vacuumdb -Zt pg_am\;CHECKPOINT" performed a checkpoint. That
now fails, but for now, "vacuumdb -Zt 'pg_am(amname);CHECKPOINT'" still
performs a checkpoint.

Back-patch to 9.3 (all supported versions).

Reviewed by Tom Lane, though this fix strategy was not his first choice.
Reported by Arseniy Sharoglazov.

Security: CVE-2018-1058

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/582edc369cdbd348d68441fc50fa26a84afd0c1a

Modified Files
--------------
contrib/oid2name/oid2name.c | 13 ++++
contrib/vacuumlo/vacuumlo.c | 8 +-
src/backend/postmaster/autovacuum.c | 14 ++++
src/bin/pg_basebackup/streamutil.c | 18 +++++
src/bin/pg_dump/pg_backup_db.c | 9 +++
src/bin/pg_dump/pg_dump.c | 17 ++++-
src/bin/pg_dump/pg_dumpall.c | 6 +-
src/bin/pg_rewind/libpq_fetch.c | 7 ++
src/bin/pg_upgrade/server.c | 3 +
src/bin/scripts/clusterdb.c | 12 ++-
src/bin/scripts/common.c | 137 +++++++++++++++++++++++++++++++---
src/bin/scripts/common.h | 10 ++-
src/bin/scripts/createdb.c | 2 +-
src/bin/scripts/createuser.c | 2 +-
src/bin/scripts/dropdb.c | 3 +-
src/bin/scripts/dropuser.c | 2 +-
src/bin/scripts/reindexdb.c | 23 +++---
src/bin/scripts/t/010_clusterdb.pl | 2 +-
src/bin/scripts/t/090_reindexdb.pl | 6 +-
src/bin/scripts/t/100_vacuumdb.pl | 28 ++++++-
src/bin/scripts/vacuumdb.c | 29 ++++---
src/fe_utils/string_utils.c | 16 ++--
src/include/fe_utils/connect.h | 28 +++++++
src/tools/findoidjoins/findoidjoins.c | 9 +++
24 files changed, 338 insertions(+), 66 deletions(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Noah Misch 2018-02-26 15:42:31 pgsql: Document security implications of search_path and the public sch
Previous Message Tom Lane 2018-02-26 15:20:02 pgsql: Avoid using unsafe search_path settings during dump and restore.