On Tue, Jun 21, 2022 at 08:37:04PM -0700, Noah Misch wrote:
> On Tue, Jun 21, 2022 at 10:56:16AM -0700, Nathan Bossart wrote:
>> On Wed, Jun 15, 2022 at 10:42:18PM -0700, Noah Misch wrote:
>> > + * Identify the opclass to use. Use of ddl_userid is necessary due to
>> > + * ACL checks therein. This is safe despite opclasses containing
>> > + * opaque expressions (specifically, functions), because only
>> > + * superusers can define opclasses.
>>
>> It's not clear to me why the fact that only superusers can define opclasses
>> makes this safe.
>
> classOidP[attn] = ResolveOpClass(attribute->opclass,
> atttype,
> accessMethodName,
> accessMethodId);
>
> To write the comment, I pondered how those four arguments could conceivably
> lead ResolveOpClass() to locate Trojan code. Since only superusers can define
> opclasses, we can assume the catalog entries of an opclass do not point to
> Trojan code. (The superuser could just do the mischief directly, rather than
> going to extra trouble to set a trap for later.) If you see a hole in that
> thinking, please do share.
Thanks for clarifying. That makes sense to me.
--
Nathan Bossart
Amazon Web Services: https://aws.amazon.com
