Restrict access to reindex of shared catalogs for non-privileged users

A database owner running a database-level REINDEX has the possibility to
also do the operation on shared system catalogs without being an owner
of them, which allows him to block resources it should not have access
to.  The same goes for a schema owner.  For example, PostgreSQL would go
unresponsive and even block authentication if a lock is waited for
pg_authid.  This commit makes sure that a user running a REINDEX SYSTEM,
DATABASE or SCHEMA only works on the following relations:
- The user is a superuser
- The user is the table owner
- The user is the database/schema owner, only if the relation worked on
is not shared.

Robert has worded most the documentation changes, and I have coded the
core part.

Reported-by: Lloyd Albin, Jeremy Schneider
Author: Michael Paquier, Robert Haas
Reviewed by: Nathan Bossart, Kyotaro Horiguchi
Discussion: https://postgr.es/m/152512087100.19803.12733865831237526317@wrigleys.postgresql.org
Discussion: https://postgr.es/m/20180805211059.GA2185@paquier.xyz
Backpatch-through: 11- as the current behavior has been around for a
very long time and could be disruptive for already released branches.

diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml
index 1c21fafb80e6ac779adb08e25f0a7f91a21baba9..47cef987d4868dd15e42febf22b3c8c547b36c26 100644 (file)
--- a/doc/src/sgml/ref/reindex.sgml
+++ b/doc/src/sgml/ref/reindex.sgml
@@ -225,10 +225,15 @@ REINDEX [ ( VERBOSE ) ] { INDEX | TABLE | SCHEMA | DATABASE | SYSTEM } <replacea
 
   <para>
    Reindexing a single index or table requires being the owner of that
-   index or table.  Reindexing a database requires being the owner of
-   the database (note that the owner can therefore rebuild indexes of
-   tables owned by other users).  Of course, superusers can always
-   reindex anything.
+   index or table.  Reindexing a schema or database requires being the
+   owner of that schema or database.  Note that is therefore sometimes
+   possible for non-superusers to rebuild indexes of tables owned by
+   other users.  However, as a special exception, when
+   <command>REINDEX DATABASE</command>, <command>REINDEX SCHEMA</command>
+   or <command>REINDEX SYSTEM</command> is issued by a non-superuser,
+   indexes on shared catalogs will be skipped unless the user owns the
+   catalog (which typically won't be the case).  Of course, superusers
+   can always reindex anything.
   </para>
 
   <para>

diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c
index b9dad9672ef6bce69542525069ae9c1ac87d22c8..d54c78c35272663d5e6b4f224fc906f9bb790bff 100644 (file)
--- a/src/backend/commands/indexcmds.c
+++ b/src/backend/commands/indexcmds.c
@@ -2415,6 +2415,18 @@ ReindexMultipleTables(const char *objectName, ReindexObjectType objectKind,
                        !IsSystemClass(relid, classtuple))
                        continue;
 
+               /*
+                * The table can be reindexed if the user is superuser, the table
+                * owner, or the database/schema owner (but in the latter case, only
+                * if it's not a shared relation).  pg_class_ownercheck includes the
+                * superuser case, and depending on objectKind we already know that
+                * the user has permission to run REINDEX on this database or schema
+                * per the permission checks at the beginning of this routine.
+                */
+               if (classtuple->relisshared &&
+                       !pg_class_ownercheck(relid, GetUserId()))
+                       continue;
+
                /* Save the list of relation OIDs in private context */
                old = MemoryContextSwitchTo(private_context);