| From: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Nasty security bug with clustering |
| Date: | 2004-04-28 05:51:18 |
| Message-ID: | 408F4656.2070508@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
No check is performed for being a superuser, the table owner or that it
is a system table when marking an index for clustering:
usa=> alter table pg_class cluster on "pg_class_oid_index";
ALTER TABLE
usa=> select oid from pg_class where relname='pg_class_oid_index';
oid
-------
16613
(1 row)
usa=> select * from pg_index where indexrelid=16613;
indexrelid | indrelid | indkey | indclass | indnatts | indisunique |
indisprimary | indisclustered | indexprs | indpred
------------+----------+--------+----------+----------+-------------+--------------+----------------+----------+---------
16613 | 1259 | -2 | 1989 | 1 | t | f
| t | |
(1 row)
Note how I managed to mark as clustered an index on a system catalog as
a non-superuser...
Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christopher Kings-Lynne | 2004-04-28 06:04:34 | Clustering system catalog indexes |
| Previous Message | Tom Lane | 2004-04-28 05:16:27 | Re: 7.5 features |