]> granicus.if.org Git - postgresql/commit
projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 59ef49d) | patch
Restrict access to reindex of shared catalogs for non-privileged users
authorMichael Paquier <michael@paquier.xyz>
Thu, 9 Aug 2018 07:40:15 +0000 (09:40 +0200)
committerMichael Paquier <michael@paquier.xyz>
Thu, 9 Aug 2018 07:40:15 +0000 (09:40 +0200)
commit661dd23950f2e64646404605e99315d2379de0e5
tree6c43b0fb60826d57e0c11e6de7fc9c9fb84d0de0tree | snapshot
parent59ef49d26d2f8724d0788fea0774f786a22ca63dcommit | diff
Restrict access to reindex of shared catalogs for non-privileged users

A database owner running a database-level REINDEX has the possibility to
also do the operation on shared system catalogs without being an owner
of them, which allows him to block resources it should not have access
to.  The same goes for a schema owner.  For example, PostgreSQL would go
unresponsive and even block authentication if a lock is waited for
pg_authid.  This commit makes sure that a user running a REINDEX SYSTEM,
DATABASE or SCHEMA only works on the following relations:
- The user is a superuser
- The user is the table owner
- The user is the database/schema owner, only if the relation worked on
is not shared.

Robert has worded most the documentation changes, and I have coded the
core part.

Reported-by: Lloyd Albin, Jeremy Schneider
Author: Michael Paquier, Robert Haas
Reviewed by: Nathan Bossart, Kyotaro Horiguchi
Discussion: https://postgr.es/m/152512087100.19803.12733865831237526317@wrigleys.postgresql.org
Discussion: https://postgr.es/m/20180805211059.GA2185@paquier.xyz
Backpatch-through: 11- as the current behavior has been around for a
very long time and could be disruptive for already released branches.
doc/src/sgml/ref/reindex.sgml diff | blob | history
src/backend/commands/indexcmds.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.