Make relation-enumerating operations be security-restricted operations.
When a feature enumerates relations and runs functions associated with
all found relations, the feature's user shall not need to trust every
user having permission to create objects. BRIN-specific functionality
in autovacuum neglected to account for this, as did pg_amcheck and
CLUSTER. An attacker having permission to create non-temp objects in at
least one schema could execute arbitrary SQL functions under the
identity of the bootstrap superuser. CREATE INDEX (not a
relation-enumerating operation) and REINDEX protected themselves too
late. This change extends to the non-enumerating amcheck interface.
Back-patch to v10 (all supported versions).
Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.
Reported by Alexander Lakhin.
Security: CVE-2022-1552
Branch
------
REL_10_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/ef792f7856dea2576dcd9cab92b2b05fe955696b
Modified Files
--------------
contrib/amcheck/expected/check_btree.out | 23 ++++++++++++
contrib/amcheck/sql/check_btree.sql | 21 +++++++++++
contrib/amcheck/verify_nbtree.c | 28 ++++++++++++++
src/backend/access/brin/brin.c | 30 ++++++++++++++-
src/backend/catalog/index.c | 41 +++++++++++++++------
src/backend/commands/cluster.c | 35 ++++++++++++++----
src/backend/commands/indexcmds.c | 53 ++++++++++++++++++++++++++-
src/backend/utils/init/miscinit.c | 24 +++++++-----
src/test/regress/expected/privileges.out | 63 ++++++++++++++++++++++++++++++++
src/test/regress/sql/privileges.sql | 47 ++++++++++++++++++++++++
10 files changed, 335 insertions(+), 30 deletions(-)