Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,

and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

Author: tglsfdc

doc/src/sgml/ref/set_role.sgml

@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.4 2007/01/31 23:26:04 momjian Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/set_role.sgml,v 1.5 2008/01/03 21:23:15 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -31,7 +31,7 @@ RESET ROLE
 
   <para>
    This command sets the current user
-   identifier of the current SQL-session context to be <replaceable
+   identifier of the current SQL session to be <replaceable
    class="parameter">rolename</replaceable>.  The role name can be
    written as either an identifier or a string literal.
    After <command>SET ROLE</>, permissions checking for SQL commands
@@ -89,6 +89,11 @@ RESET ROLE
    roles with <command>SET ROLE</> does not change the set of roles
    allowed to a later <command>SET ROLE</>.
   </para>
+
+  <para>
+   <command>SET ROLE</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
  </refsect1>
 
  <refsect1>

doc/src/sgml/ref/set_session_auth.sgml

@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.16 2007/01/31 23:26:04 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/ref/set_session_auth.sgml,v 1.17 2008/01/03 21:23:15 tgl Exp $ -->
 <refentry id="SQL-SET-SESSION-AUTHORIZATION">
  <refmeta>
   <refentrytitle id="sql-set-session-authorization-title">SET SESSION AUTHORIZATION</refentrytitle>
@@ -27,7 +27,7 @@ RESET SESSION AUTHORIZATION
 
   <para>
    This command sets the session user identifier and the current user
-   identifier of the current SQL-session context to be <replaceable
+   identifier of the current SQL session to be <replaceable
    class="parameter">username</replaceable>.  The user name can be
    written as either an identifier or a string literal.  Using this
    command, it is possible, for example, to temporarily become an
@@ -38,7 +38,7 @@ RESET SESSION AUTHORIZATION
    The session user identifier is initially set to be the (possibly
    authenticated) user name provided by the client.  The current user
    identifier is normally equal to the session user identifier, but
-   might change temporarily in the context of <quote>setuid</quote>
+   might change temporarily in the context of <literal>SECURITY DEFINER</>
    functions and similar mechanisms; it can also be changed by
    <xref linkend="sql-set-role" endterm="sql-set-role-title">.
    The current user identifier is relevant for permission checking.
@@ -64,6 +64,15 @@ RESET SESSION AUTHORIZATION
   </para>
  </refsect1>
 
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <command>SET SESSION AUTHORIZATION</> cannot be used within a
+   <literal>SECURITY DEFINER</> function.
+  </para>
+ </refsect1>
+
  <refsect1>
   <title>Examples</title>
 

doc/src/sgml/ref/show.sgml

@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/show.sgml,v 1.44 2007/09/26 22:36:30 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/show.sgml,v 1.45 2008/01/03 21:23:15 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -104,8 +104,7 @@ SHOW ALL
         <term><literal>IS_SUPERUSER</literal></term>
         <listitem>
          <para>
-          True if the current session authorization identifier has
-          superuser privileges.
+          True if the current role has superuser privileges.
          </para>
         </listitem>
        </varlistentry>

src/backend/access/transam/xact.c

@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.255 2008/01/01 19:45:48 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.256 2008/01/03 21:23:15 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -123,7 +123,8 @@ typedef struct TransactionStateData
 	MemoryContext curTransactionContext;		/* my xact-lifetime context */
 	ResourceOwner curTransactionOwner;	/* my query resources */
 	List	   *childXids;		/* subcommitted child XIDs */
-	Oid			currentUser;	/* subxact start current_user */
+	Oid			prevUser;		/* previous CurrentUserId setting */
+	bool		prevSecDefCxt;	/* previous SecurityDefinerContext setting */
 	bool		prevXactReadOnly;		/* entry-time xact r/o state */
 	struct TransactionStateData *parent;		/* back link to parent */
 } TransactionStateData;
@@ -148,7 +149,8 @@ static TransactionStateData TopTransactionStateData = {
 	NULL,						/* cur transaction context */
 	NULL,						/* cur transaction resource owner */
 	NIL,						/* subcommitted child Xids */
-	0,							/* entry-time current userid */
+	InvalidOid,					/* previous CurrentUserId setting */
+	false,						/* previous SecurityDefinerContext setting */
 	false,						/* entry-time xact r/o state */
 	NULL						/* link to parent state block */
 };
@@ -1490,19 +1492,15 @@ StartTransaction(void)
 
 	/*
 	 * initialize current transaction state fields
+	 *
+	 * note: prevXactReadOnly is not used at the outermost level
 	 */
 	s->nestingLevel = 1;
 	s->gucNestLevel = 1;
 	s->childXids = NIL;
-
-	/*
-	 * You might expect to see "s->currentUser = GetUserId();" here, but you
-	 * won't because it doesn't work during startup; the userid isn't set yet
-	 * during a backend's first transaction start.  We only use the
-	 * currentUser field in sub-transaction state structs.
-	 *
-	 * prevXactReadOnly is also valid only in sub-transactions.
-	 */
+	GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
+	/* SecurityDefinerContext should never be set outside a transaction */
+	Assert(!s->prevSecDefCxt);
 
 	/*
 	 * initialize other subsystems for new transaction
@@ -1963,17 +1961,16 @@ AbortTransaction(void)
 	s->state = TRANS_ABORT;
 
 	/*
-	 * Reset user id which might have been changed transiently.  We cannot use
-	 * s->currentUser, since it may not be set yet; instead rely on internal
-	 * state of miscinit.c.
+	 * Reset user ID which might have been changed transiently.  We need this
+	 * to clean up in case control escaped out of a SECURITY DEFINER function
+	 * or other local change of CurrentUserId; therefore, the prior value
+	 * of SecurityDefinerContext also needs to be restored.
 	 *
-	 * (Note: it is not necessary to restore session authorization here
-	 * because that can only be changed via GUC, and GUC will take care of
-	 * rolling it back if need be.	However, an error within a SECURITY
-	 * DEFINER function could send control here with the wrong current
-	 * userid.)
+	 * (Note: it is not necessary to restore session authorization or role
+	 * settings here because those can only be changed via GUC, and GUC will
+	 * take care of rolling them back if need be.)
 	 */
-	AtAbort_UserId();
+	SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
 
 	/*
 	 * do abort processing
@@ -3806,6 +3803,12 @@ AbortSubTransaction(void)
 
 	s->state = TRANS_ABORT;
 
+	/*
+	 * Reset user ID which might have been changed transiently.  (See notes
+	 * in AbortTransaction.)
+	 */
+	SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
+
 	/*
 	 * We can skip all this stuff if the subxact failed before creating a
 	 * ResourceOwner...
@@ -3858,20 +3861,6 @@ AbortSubTransaction(void)
 		AtEOSubXact_PgStat(false, s->nestingLevel);
 	}
 
-	/*
-	 * Reset user id which might have been changed transiently.  Here we want
-	 * to restore to the userid that was current at subxact entry. (As in
-	 * AbortTransaction, we need not worry about the session userid.)
-	 *
-	 * Must do this after AtEOXact_GUC to handle the case where we entered the
-	 * subxact inside a SECURITY DEFINER function (hence current and session
-	 * userids were different) and then session auth was changed inside the
-	 * subxact.  GUC will reset both current and session userids to the
-	 * entry-time session userid.  This is right in every other scenario so it
-	 * seems simplest to let GUC do that and fix it here.
-	 */
-	SetUserId(s->currentUser);
-
 	/*
 	 * Restore the upper transaction's read-only state, too.  This should be
 	 * redundant with GUC's cleanup but we may as well do it for consistency
@@ -3926,13 +3915,6 @@ PushTransaction(void)
 {
 	TransactionState p = CurrentTransactionState;
 	TransactionState s;
-	Oid			currentUser;
-
-	/*
-	 * At present, GetUserId cannot fail, but let's not assume that.  Get the
-	 * ID before entering the critical code sequence.
-	 */
-	currentUser = GetUserId();
 
 	/*
 	 * We keep subtransaction state nodes in TopTransactionContext.
@@ -3966,7 +3948,7 @@ PushTransaction(void)
 	s->savepointLevel = p->savepointLevel;
 	s->state = TRANS_DEFAULT;
 	s->blockState = TBLOCK_SUBBEGIN;
-	s->currentUser = currentUser;
+	GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
 	s->prevXactReadOnly = XactReadOnly;
 
 	CurrentTransactionState = s;

src/backend/catalog/index.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.289 2008/01/01 19:45:48 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.290 2008/01/03 21:23:15 tgl Exp $
  *
  *
  * INTERFACE ROUTINES
@@ -1339,6 +1339,8 @@ index_build(Relation heapRelation,
 {
 	RegProcedure procedure;
 	IndexBuildResult *stats;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	/*
 	 * sanity checks
@@ -1349,6 +1351,13 @@ index_build(Relation heapRelation,
 	procedure = indexRelation->rd_am->ambuild;
 	Assert(RegProcedureIsValid(procedure));
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+
 	/*
 	 * Call the access method's build procedure
 	 */
@@ -1359,6 +1368,9 @@ index_build(Relation heapRelation,
 										 PointerGetDatum(indexInfo)));
 	Assert(PointerIsValid(stats));
 
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
+
 	/*
 	 * If we found any potentially broken HOT chains, mark the index as not
 	 * being usable until the current transaction is below the event horizon.
@@ -1857,6 +1869,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
 	IndexInfo  *indexInfo;
 	IndexVacuumInfo ivinfo;
 	v_i_state	state;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	/* Open and lock the parent heap relation */
 	heapRelation = heap_open(heapId, ShareUpdateExclusiveLock);
@@ -1873,6 +1887,13 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
 	/* mark build is concurrent just for consistency */
 	indexInfo->ii_Concurrent = true;
 
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+
 	/*
 	 * Scan the index and gather up all the TIDs into a tuplesort object.
 	 */
@@ -1910,6 +1931,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot)
 		 "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples",
 		 state.htups, state.itups, state.tups_inserted);
 
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
+
 	/* Close rels, but keep locks */
 	index_close(indexRelation, NoLock);
 	heap_close(heapRelation, NoLock);

src/backend/commands/analyze.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.113 2008/01/01 19:45:48 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.114 2008/01/03 21:23:15 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -119,6 +119,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 	HeapTuple  *rows;
 	PGRUsage	ru0;
 	TimestampTz starttime = 0;
+	Oid			save_userid;
+	bool		save_secdefcxt;
 
 	if (vacstmt->verbose)
 		elevel = INFO;
@@ -202,6 +204,18 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 		return;
 	}
 
+	ereport(elevel,
+			(errmsg("analyzing \"%s.%s\"",
+					get_namespace_name(RelationGetNamespace(onerel)),
+					RelationGetRelationName(onerel))));
+
+	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
 	/* let others know what I'm doing */
 	LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
 	MyProc->vacuumFlags |= PROC_IN_ANALYZE;
@@ -215,11 +229,6 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 			starttime = GetCurrentTimestamp();
 	}
 
-	ereport(elevel,
-			(errmsg("analyzing \"%s.%s\"",
-					get_namespace_name(RelationGetNamespace(onerel)),
-					RelationGetRelationName(onerel))));
-
 	/*
 	 * Determine which columns to analyze
 	 *
@@ -344,9 +353,7 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 								  onerel->rd_rel->relisshared,
 								  0, 0);
 
-		vac_close_indexes(nindexes, Irel, AccessShareLock);
-		relation_close(onerel, ShareUpdateExclusiveLock);
-		return;
+		goto cleanup;
 	}
 
 	/*
@@ -466,6 +473,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 							  totalrows, totaldeadrows);
 	}
 
+	/* We skip to here if there were no analyzable columns */
+cleanup:
+
 	/* Done with indexes */
 	vac_close_indexes(nindexes, Irel, NoLock);
 
@@ -498,6 +508,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt,
 	LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
 	MyProc->vacuumFlags &= ~PROC_IN_ANALYZE;
 	LWLockRelease(ProcArrayLock);
+
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 }
 
 /*