Log Message: ----------- Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX, and CLUSTER) execute as the table owner rather than the calling user, using the same privilege-switching mechanism already used for SECURITY DEFINER functions. The purpose of this change is to ensure that user-defined functions used in index definitions cannot acquire the privileges of a superuser account that is performing routine maintenance. While a function used in an index is supposed to be IMMUTABLE and thus not able to do anything very interesting, there are several easy ways around that restriction; and even if we could plug them all, there would remain a risk of reading sensitive information and broadcasting it through a covert channel such as CPU usage. To prevent bypassing this security measure, execution of SET SESSION AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context. Thanks to Itagaki Takahiro for reporting this vulnerability. Security: CVE-2007-6600 Tags: ---- REL7_4_STABLE Modified Files: -------------- pgsql/doc/src/sgml/ref: set_session_auth.sgml (r1.11 -> r1.11.2.1) (http://developer.postgresql.org/cvsweb.cgi/pgsql/doc/src/sgml/ref/set_session_auth.sgml?r1=1.11&r2=1.11.2.1) pgsql/src/backend/access/transam: xact.c (r1.156.2.4 -> r1.156.2.5) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/access/transam/xact.c?r1=1.156.2.4&r2=1.156.2.5) pgsql/src/backend/catalog: index.c (r1.219.2.2 -> r1.219.2.3) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/catalog/index.c?r1=1.219.2.2&r2=1.219.2.3) pgsql/src/backend/commands: schemacmds.c (r1.16 -> r1.16.4.1) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/schemacmds.c?r1=1.16&r2=1.16.4.1) vacuum.c (r1.263.2.3 -> r1.263.2.4) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/vacuum.c?r1=1.263.2.3&r2=1.263.2.4) variable.c (r1.88.2.3 -> r1.88.2.4) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/variable.c?r1=1.88.2.3&r2=1.88.2.4) pgsql/src/backend/utils/adt: ri_triggers.c (r1.63.2.1 -> r1.63.2.2) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/adt/ri_triggers.c?r1=1.63.2.1&r2=1.63.2.2) pgsql/src/backend/utils/fmgr: fmgr.c (r1.76.2.1 -> r1.76.2.2) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/fmgr/fmgr.c?r1=1.76.2.1&r2=1.76.2.2) pgsql/src/backend/utils/init: miscinit.c (r1.116 -> r1.116.2.1) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/init/miscinit.c?r1=1.116&r2=1.116.2.1) pgsql/src/include: miscadmin.h (r1.134 -> r1.134.2.1) (http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/miscadmin.h?r1=1.134&r2=1.134.2.1)
pgsql-committers by date:
Соглашаюсь с условиями обработки персональных данных