pgsql: Make standard maintenance operations (including VACUUM, ANALYZE, - Mailing list pgsql-committers

Log Message:
-----------
Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

Tags:
----
REL8_1_STABLE

Modified Files:
--------------
    pgsql/doc/src/sgml/ref:
        set_role.sgml (r1.2 -> r1.2.2.1)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/ref/set_role.sgml?r1=1.2&r2=1.2.2.1)
        set_session_auth.sgml (r1.14 -> r1.14.2.1)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/ref/set_session_auth.sgml?r1=1.14&r2=1.14.2.1)
        show.sgml (r1.39 -> r1.39.2.1)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/ref/show.sgml?r1=1.39&r2=1.39.2.1)
    pgsql/src/backend/access/transam:
        xact.c (r1.215.2.3 -> r1.215.2.4)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/access/transam/xact.c?r1=1.215.2.3&r2=1.215.2.4)
    pgsql/src/backend/catalog:
        index.c (r1.261.2.3 -> r1.261.2.4)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/catalog/index.c?r1=1.261.2.3&r2=1.261.2.4)
    pgsql/src/backend/commands:
        analyze.c (r1.89.2.1 -> r1.89.2.2)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/analyze.c?r1=1.89.2.1&r2=1.89.2.2)
        schemacmds.c (r1.35 -> r1.35.2.1)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/schemacmds.c?r1=1.35&r2=1.35.2.1)
        vacuum.c (r1.317.2.5 -> r1.317.2.6)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/vacuum.c?r1=1.317.2.5&r2=1.317.2.6)
        variable.c (r1.114.2.2 -> r1.114.2.3)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/variable.c?r1=1.114.2.2&r2=1.114.2.3)
    pgsql/src/backend/utils/adt:
        ri_triggers.c (r1.82.2.2 -> r1.82.2.3)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/adt/ri_triggers.c?r1=1.82.2.2&r2=1.82.2.3)
    pgsql/src/backend/utils/fmgr:
        fmgr.c (r1.97.2.2 -> r1.97.2.3)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/fmgr/fmgr.c?r1=1.97.2.2&r2=1.97.2.3)
    pgsql/src/backend/utils/init:
        miscinit.c (r1.150.2.1 -> r1.150.2.2)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/init/miscinit.c?r1=1.150.2.1&r2=1.150.2.2)
    pgsql/src/include:
        miscadmin.h (r1.183.2.1 -> r1.183.2.2)
        (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/miscadmin.h?r1=1.183.2.1&r2=1.183.2.2)