Skip site navigation (1) Skip section navigation (2)

pgsql: Force PL and range-type support functions to be owned by asuper

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Force PL and range-type support functions to be owned by asuper
Date: 2012-05-31 03:48:10
Message-ID: E1SZwMs-00044Q-0o@gemulon.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-committers
Force PL and range-type support functions to be owned by a superuser.

We allow non-superusers to create procedural languages (with restrictions)
and range datatypes.  Previously, the automatically-created support
functions for these objects ended up owned by the creating user.  This
represents a rather considerable security hazard, because the owning user
might be able to alter a support function's definition in such a way as to
crash the server, inject trojan-horse SQL code, or even execute arbitrary
C code directly.  It appears that right now the only actually exploitable
problem is the infinite-recursion bug fixed in the previous patch for
CVE-2012-2655.  However, it's not hard to imagine that future additions of
more ALTER FUNCTION capability might unintentionally open up new hazards.
To forestall future problems, cause these support functions to be owned by
the bootstrap superuser, not the user creating the parent object.

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/ad0009e7be27489f5acc0a36217d9ea8f3db2b14

Modified Files
--------------
src/backend/catalog/pg_aggregate.c  |    1 +
src/backend/catalog/pg_proc.c       |    2 +-
src/backend/commands/functioncmds.c |    1 +
src/backend/commands/proclang.c     |    4 ++++
src/backend/commands/typecmds.c     |    2 ++
src/include/catalog/pg_proc_fn.h    |    1 +
6 files changed, 10 insertions(+), 1 deletions(-)

pgsql-committers by date

Next:From: Tom LaneDate: 2012-05-31 04:49:07
Subject: pgsql: Update time zone data files to tzdata release 2012c.
Previous:From: Tom LaneDate: 2012-05-31 03:29:06
Subject: pgsql: Ignore SECURITY DEFINER and SET attributes for a PL's callhandl

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group