projects / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e5b5a21) | patch
Make relation-enumerating operations be security-restricted operations.
authorNoah Misch
Mon, 9 May 2022 15:35:08 +0000 (08:35 -0700)
committerNoah Misch
Mon, 9 May 2022 15:35:12 +0000 (08:35 -0700)
commitab49ce7c3414ac19e4afb386d7843ce2d2fb8bda
tree87f4681e87f0061a44b3db6f3bd6b7b80ecfc85ftree
parente5b5a21356233739a552063fa70d4f5b245edb9acommit | diff
Make relation-enumerating operations be security-restricted operations.

When a feature enumerates relations and runs functions associated with
all found relations, the feature's user shall not need to trust every
user having permission to create objects.  BRIN-specific functionality
in autovacuum neglected to account for this, as did pg_amcheck and
CLUSTER.  An attacker having permission to create non-temp objects in at
least one schema could execute arbitrary SQL functions under the
identity of the bootstrap superuser.  CREATE INDEX (not a
relation-enumerating operation) and REINDEX protected themselves too
late.  This change extends to the non-enumerating amcheck interface.
Back-patch to v10 (all supported versions).

Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.
Reported by Alexander Lakhin.

Security: CVE-2022-1552
contrib/amcheck/expected/check_btree.out diff | blob | blame | history
contrib/amcheck/sql/check_btree.sql diff | blob | blame | history
contrib/amcheck/verify_nbtree.c diff | blob | blame | history
src/backend/access/brin/brin.c diff | blob | blame | history
src/backend/catalog/index.c diff | blob | blame | history
src/backend/commands/cluster.c diff | blob | blame | history
src/backend/commands/indexcmds.c diff | blob | blame | history
src/backend/utils/init/miscinit.c diff | blob | blame | history
src/test/regress/expected/privileges.out diff | blob | blame | history
src/test/regress/sql/privileges.sql diff | blob | blame | history
This is the main PostgreSQL git repository.