Movatterモバイル変換

Skip to content

postgrespro/postgresPublic

forked frompostgres/postgres

NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit05e1737

jeff-davis

committed

Fix search_path to a safe value during maintenance operations.

While executing maintenance operations (ANALYZE, CLUSTER, REFRESHMATERIALIZED VIEW, REINDEX, or VACUUM), set search_path to'pg_catalog, pg_temp' to prevent inconsistent behavior.Functions that are used for functional indexes, in index expressions,or in materialized views and depend on a different search path must bedeclared with CREATE FUNCTION ... SET search_path='...'.This change addresses a security risk introduced in commit60684dd,where a role with MAINTAIN privileges on a table may be able toescalate privileges to the table owner. That commit is not yet part ofany release, so no need to backpatch.Discussion:https://postgr.es/m/e44327179e5c9015c8dda67351c04da552066017.camel%40j-davis.comReviewed-by: Greg StarkReviewed-by: Nathan Bossart

1 parent9aee26a commit05e1737Copy full SHA for 05e1737

File tree

15 files changed

+48

-16

lines changed

contrib/amcheck
- verify_nbtree.c
src
- backend
  - access/brin
    - brin.c
  - catalog
    - index.c
  - commands
- bin/scripts/t
  - 100_vacuumdb.pl
- include/utils
  - guc.h
- test
  - modules/test_oat_hooks/expected
    - test_oat_hooks.out
  - regress
    - expected
      - privileges.out
      - vacuum.out
    - sql
      - privileges.sql
      - vacuum.sql

15 files changed

+48

-16

lines changed

`‎contrib/amcheck/verify_nbtree.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,8 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,`
`282`	`282`	`SetUserIdAndSecContext(heaprel->rd_rel->relowner,`
`283`	`283`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`284`	`284`	`save_nestlevel=NewGUCNestLevel();`
	`285`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`286`	`+PGC_S_SESSION);`
`285`	`287`	`}`
`286`	`288`	`else`
`287`	`289`	`{`

`‎src/backend/access/brin/brin.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1066,6 +1066,8 @@ brin_summarize_range(PG_FUNCTION_ARGS)`
`1066`	`1066`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`1067`	`1067`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1068`	`1068`	`save_nestlevel=NewGUCNestLevel();`
	`1069`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1070`	`+PGC_S_SESSION);`
`1069`	`1071`	`}`
`1070`	`1072`	`else`
`1071`	`1073`	`{`

`‎src/backend/catalog/index.c‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1475,6 +1475,8 @@ index_concurrently_build(Oid heapRelationId,`
`1475`	`1475`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`1476`	`1476`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1477`	`1477`	`save_nestlevel=NewGUCNestLevel();`
	`1478`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1479`	`+PGC_S_SESSION);`
`1478`	`1480`
`1479`	`1481`	`indexRelation=index_open(indexRelationId,RowExclusiveLock);`
`1480`	`1482`
`@@ -3006,6 +3008,8 @@ index_build(Relation heapRelation,`
`3006`	`3008`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3007`	`3009`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3008`	`3010`	`save_nestlevel=NewGUCNestLevel();`
	`3011`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3012`	`+PGC_S_SESSION);`
`3009`	`3013`
`3010`	`3014`	`/* Set up initial progress report status */`
`3011`	`3015`	`{`
`@@ -3341,6 +3345,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)`
`3341`	`3345`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3342`	`3346`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3343`	`3347`	`save_nestlevel=NewGUCNestLevel();`
	`3348`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3349`	`+PGC_S_SESSION);`
`3344`	`3350`
`3345`	`3351`	`indexRelation=index_open(indexId,RowExclusiveLock);`
`3346`	`3352`
`@@ -3601,6 +3607,8 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence,`
`3601`	`3607`	`SetUserIdAndSecContext(heapRelation->rd_rel->relowner,`
`3602`	`3608`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3603`	`3609`	`save_nestlevel=NewGUCNestLevel();`
	`3610`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3611`	`+PGC_S_SESSION);`
`3604`	`3612`
`3605`	`3613`	`if (progress)`
`3606`	`3614`	`{`

`‎src/backend/commands/analyze.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -348,6 +348,8 @@ do_analyze_rel(Relation onerel, VacuumParams *params,`
`348`	`348`	`SetUserIdAndSecContext(onerel->rd_rel->relowner,`
`349`	`349`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`350`	`350`	`save_nestlevel=NewGUCNestLevel();`
	`351`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`352`	`+PGC_S_SESSION);`
`351`	`353`
`352`	`354`	`/* measure elapsed time iff autovacuum logging requires it */`
`353`	`355`	`if (IsAutoVacuumWorkerProcess()&&params->log_min_duration >=0)`

`‎src/backend/commands/cluster.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,8 @@ cluster_rel(Oid tableOid, Oid indexOid, ClusterParams *params)`
`355`	`355`	`SetUserIdAndSecContext(OldHeap->rd_rel->relowner,`
`356`	`356`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`357`	`357`	`save_nestlevel=NewGUCNestLevel();`
	`358`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`359`	`+PGC_S_SESSION);`
`358`	`360`
`359`	`361`	`/*`
`360`	`362`	`* Since we may open a new transaction for each relation, we have to check`

`‎src/backend/commands/indexcmds.c‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -575,6 +575,8 @@ DefineIndex(Oid relationId,`
`575`	`575`	`introot_save_nestlevel;`
`576`	`576`
`577`	`577`	`root_save_nestlevel=NewGUCNestLevel();`
	`578`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`579`	`+PGC_S_SESSION);`
`578`	`580`
`579`	`581`	`/*`
`580`	`582`	`* Some callers need us to run with an empty default_tablespace; this is a`
`@@ -1300,6 +1302,8 @@ DefineIndex(Oid relationId,`
`1300`	`1302`	`SetUserIdAndSecContext(childrel->rd_rel->relowner,`
`1301`	`1303`	`child_save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`1302`	`1304`	`child_save_nestlevel=NewGUCNestLevel();`
	`1305`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`1306`	`+PGC_S_SESSION);`
`1303`	`1307`
`1304`	`1308`	`/*`
`1305`	`1309`	`* Don't try to create indexes on foreign tables, though. Skip`
`@@ -3753,6 +3757,8 @@ ReindexRelationConcurrently(Oid relationOid, ReindexParams *params)`
`3753`	`3757`	`SetUserIdAndSecContext(heapRel->rd_rel->relowner,`
`3754`	`3758`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`3755`	`3759`	`save_nestlevel=NewGUCNestLevel();`
	`3760`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`3761`	`+PGC_S_SESSION);`
`3756`	`3762`
`3757`	`3763`	`/* determine safety of this index for set_indexsafe_procflags */`
`3758`	`3764`	`idx->safe= (indexRel->rd_indexprs==NIL&&`

`‎src/backend/commands/matview.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,8 @@ ExecRefreshMatView(RefreshMatViewStmt stmt, const char queryString,`
`179`	`179`	`SetUserIdAndSecContext(relowner,`
`180`	`180`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`181`	`181`	`save_nestlevel=NewGUCNestLevel();`
	`182`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`183`	`+PGC_S_SESSION);`
`182`	`184`
`183`	`185`	`/* Make sure it is a materialized view. */`
`184`	`186`	`if (matviewRel->rd_rel->relkind!=RELKIND_MATVIEW)`

`‎src/backend/commands/vacuum.c‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2172,6 +2172,8 @@ vacuum_rel(Oid relid, RangeVar relation, VacuumParams params,`
`2172`	`2172`	`SetUserIdAndSecContext(rel->rd_rel->relowner,`
`2173`	`2173`	`save_sec_context \|SECURITY_RESTRICTED_OPERATION);`
`2174`	`2174`	`save_nestlevel=NewGUCNestLevel();`
	`2175`	`+SetConfigOption("search_path",GUC_SAFE_SEARCH_PATH,PGC_USERSET,`
	`2176`	`+PGC_S_SESSION);`
`2175`	`2177`
`2176`	`2178`	`/*`
`2177`	`2179`	`* If PROCESS_MAIN is set (the default), it's time to vacuum the main`

`‎src/bin/scripts/t/100_vacuumdb.pl‎`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -109,15 +109,11 @@`
`109`	`109`	`CREATE FUNCTION f1(int) RETURNS int LANGUAGE SQL AS 'SELECT f0($1)';`
`110`	`110`	`CREATE TABLE funcidx (x int);`
`111`	`111`	`INSERT INTO funcidx VALUES (0),(1),(2),(3);`
`112`		`- CREATE INDEX i0 ON funcidx ((f1(x)));`
`113`	`112`	`CREATE SCHEMA "Foo";`
`114`	`113`	`CREATE TABLE "Foo".bar(id int);`
`115`	`114`	`\|);`
`116`	`115`	`$node->command_ok([qw\|vacuumdb -Z --table="need""q(uot"(")x") postgres\|],`
`117`	`116`	`'column list');`
`118`		`-$node->command_fails(`
`119`		`-[qw\|vacuumdb -Zt funcidx postgres\|],`
`120`		`-'unqualified name via functional index');`
`121`	`117`
`122`	`118`	`$node->command_fails(`
`123`	`119`	`['vacuumdb','--analyze','--table','vactable(c)','postgres' ],`

`‎src/include/utils/guc.h‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,12 @@ typedef enum`
`201`	`201`
`202`	`202`	`#defineGUC_QUALIFIER_SEPARATOR '.'`
`203`	`203`
	`204`	`+/*`
	`205`	`+ * Safe search path when executing code as the table owner, such as during`
	`206`	`+ * maintenance operations.`
	`207`	`+ */`
	`208`	`+#defineGUC_SAFE_SEARCH_PATH "pg_catalog, pg_temp"`
	`209`	`+`
`204`	`210`	`/*`
`205`	`211`	`* Bit values in "flags" of a GUC variable. Note that these don't appear`
`206`	`212`	`* on disk, so we can reassign their values freely.`

0 commit comments

Comments

(0)

[8]ページ先頭

©2009-2025 Movatter.jp