Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

Author: tglsfdc

doc/src/sgml/ref/set_session_auth.sgml

@@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.7 2002/09/21 18:32:54 petere Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.7.2.1 2008/01/03 21:25:58 tgl Exp $ -->
 <refentry id="SQL-SET-SESSION-AUTHORIZATION">
  <docinfo>
   <date>2001-04-21</date>
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION
 
   <para>
    This command sets the session user identifier and the current user
-   identifier of the current SQL-session context to be
+   identifier of the current SQL session to be
    <parameter>username</parameter>.  The user name may be written as
    either an identifier or a string literal.
    The session user identifier is valid for the duration of a
@@ -39,7 +39,7 @@ RESET SESSION AUTHORIZATION
    The session user identifier is initially set to be the (possibly
    authenticated) user name provided by the client.  The current user
    identifier is normally equal to the session user identifier, but
-   may change temporarily in the context of <quote>setuid</quote>
+   might change temporarily in the context of <literal>SECURITY DEFINER</>
    functions and similar mechanisms.  The current user identifier is
    relevant for permission checking.
   </para>
@@ -65,6 +65,15 @@ RESET SESSION AUTHORIZATION
 
  </refsect1>
 
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <command>SET SESSION AUTHORIZATION</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
+ </refsect1>
+
  <refsect1>
   <title>Examples</title>
 

src/backend/access/transam/xact.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/access/transam/xact.c,v 1.135.2.4 2007/04/26 23:25:48 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/access/transam/xact.c,v 1.135.2.5 2008/01/03 21:25:58 tgl Exp $
  *
  * NOTES
  *		Transaction aborts can now occur two ways:
@@ -215,6 +215,8 @@ static TransactionStateData CurrentTransactionStateData = {
 
 TransactionState CurrentTransactionState = &CurrentTransactionStateData;
 
+static Oid	prevUser;			/* CurrentUserId at transaction start */
+
 /*
  * User-tweakable parameters
  */
@@ -960,6 +962,7 @@ static void
 CommitTransaction(void)
 {
 	TransactionState s = CurrentTransactionState;
+	bool		prevSecDefCxt;
 
 	/*
 	 * check the current transaction state
@@ -983,6 +986,10 @@ CommitTransaction(void)
 	 */
 	s->state = TRANS_COMMIT;
 
+	GetUserIdAndContext(&prevUser, &prevSecDefCxt);
+	/* SecurityDefinerContext should never be set outside a transaction */
+	Assert(!prevSecDefCxt);
+
 	/*
 	 * Do pre-commit processing (most of this stuff requires database
 	 * access, and in fact could still cause an error...)
@@ -1118,9 +1125,16 @@ AbortTransaction(void)
 	AtAbort_Memory();
 
 	/*
-	 * Reset user id which might have been changed transiently
+	 * Reset user ID which might have been changed transiently.  We need this
+	 * to clean up in case control escaped out of a SECURITY DEFINER function
+	 * or other local change of CurrentUserId; therefore, the prior value
+	 * of SecurityDefinerContext also needs to be restored.
+	 *
+	 * (Note: it is not necessary to restore session authorization
+	 * setting here because that can only be changed via GUC, and GUC will
+	 * take care of rolling it back if need be.)
 	 */
-	SetUserId(GetSessionUserId());
+	SetUserIdAndContext(prevUser, false);
 
 	/*
 	 * do abort processing

src/backend/catalog/index.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/catalog/index.c,v 1.202.2.1 2005/06/25 16:54:30 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/catalog/index.c,v 1.202.2.2 2008/01/03 21:25:58 tgl Exp $
  *
  *
  * INTERFACE ROUTINES
@@ -1439,6 +1439,8 @@ index_build(Relation heapRelation,
 			IndexInfo *indexInfo)
 {
 	RegProcedure procedure;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	/*
 	 * sanity checks
@@ -1449,13 +1451,23 @@ index_build(Relation heapRelation,
 	procedure = indexRelation->rd_am->ambuild;
 	Assert(RegProcedureIsValid(procedure));
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+
 	/*
 	 * Call the access method's build procedure
 	 */
 	OidFunctionCall3(procedure,
 					 PointerGetDatum(heapRelation),
 					 PointerGetDatum(indexRelation),
 					 PointerGetDatum(indexInfo));
+
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 }
 
 

src/backend/commands/schemacmds.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.6 2002/09/04 20:31:15 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.6.2.1 2008/01/03 21:25:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -43,9 +43,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	const char *owner_name;
 	Oid			owner_userid;
 	Oid			saved_userid;
+	bool		saved_secdefcxt;
 	AclResult	aclresult;
 
-	saved_userid = GetUserId();
+	GetUserIdAndContext(&saved_userid, &saved_secdefcxt);
 
 	/*
 	 * Figure out user identities.
@@ -68,7 +69,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 		 * (This will revert to session user on error or at the end of
 		 * this routine.)
 		 */
-		SetUserId(owner_userid);
+		SetUserIdAndContext(owner_userid, true);
 	}
 	else
 /* not superuser */
@@ -143,7 +144,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	PopSpecialNamespace(namespaceId);
 
 	/* Reset current user */
-	SetUserId(saved_userid);
+	SetUserIdAndContext(saved_userid, saved_secdefcxt);
 }
 
 

src/backend/commands/vacuum.c

@@ -13,7 +13,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/vacuum.c,v 1.244.2.2 2007/03/14 18:49:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/vacuum.c,v 1.244.2.3 2008/01/03 21:25:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -720,6 +720,8 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	LockRelId	onerelid;
 	Oid			toast_relid;
 	bool		result;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	/* Begin a transaction for vacuuming this relation */
 	StartTransactionCommand(true);
@@ -820,6 +822,14 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	 */
 	toast_relid = onerel->rd_rel->reltoastrelid;
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.  (This is unnecessary, but harmless, for lazy
+	 * VACUUM.)
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
 	/*
 	 * Do the actual work --- either FULL or "lazy" vacuum
 	 */
@@ -830,6 +840,9 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 
 	result = true;				/* did the vacuum */
 
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
+
 	/* all done with this class, but hold lock until commit */
 	relation_close(onerel, NoLock);
 

src/backend/commands/variable.c

@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.71.2.4 2006/02/12 22:33:46 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/variable.c,v 1.71.2.5 2008/01/03 21:25:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -561,6 +561,20 @@ assign_session_authorization(const char *value, bool doit, bool interactive)
 		/* not a saved ID, so look it up */
 		HeapTuple	userTup;
 
+		if (InSecurityDefinerContext())
+		{
+			/*
+			 * Disallow SET SESSION AUTHORIZATION inside a security definer
+			 * context.  We need to do this because when we exit the context,
+			 * GUC won't be notified, leaving things out of sync.  Note that
+			 * this test is positioned so that restoring a previously saved
+			 * setting isn't prevented.
+			 */
+			if (interactive)
+				elog(ERROR, "cannot set session authorization within security-definer function");
+			return NULL;
+		}
+
 		if (! IsTransactionState())
 		{
 			/*