Nasty security bug with clustering - Mailing list pgsql-hackers

No check is performed for being a superuser, the table owner or that it 
is a system table when marking an index for clustering:

usa=> alter table pg_class cluster on "pg_class_oid_index";
ALTER TABLE
usa=> select oid from pg_class where relname='pg_class_oid_index';  oid
------- 16613
(1 row)

usa=> select * from pg_index where indexrelid=16613; indexrelid | indrelid | indkey | indclass | indnatts | indisunique
|
 
indisprimary | indisclustered | indexprs | indpred

------------+----------+--------+----------+----------+-------------+--------------+----------------+----------+---------
    16613 |     1259 | -2     |     1989 |        1 | t           | f            | t              |          |
 
(1 row)

Note how I managed to mark as clustered an index on a system catalog as 
a non-superuser...

Chris