On Sun, Jul 29, 2018 at 04:11:38PM +0000, Bossart, Nathan wrote: > On 7/27/18, 7:10 PM, "Michael Paquier" <mich...@paquier.xyz> wrote: > > No problem. If there are no objections, I am going to fix the REINDEX > > issue first and back-patch. Its patch is the least invasive of the > > set. > > This seems like a reasonable place to start. I took a closer look at > 0003.
Thanks for looking at it! > This is added to ReindexMultipleTables(), which is used for REINDEX > SCHEMA, REINDEX SYSTEM, and REINDEX DATABASE. Presently, REINDEX > SCHEMA requires being the owner of the schema, and REINDEX SYSTEM and > REINDEX DATABASE require being the owner of the database. So, if a > role is an owner of a database or the pg_catalog schema, they are able > to reindex shared catalogs like pg_authid. Yeah, I was testing that yesterday night and bumped on this case when trying do a REINDEX SCHEMA pg_class. The point is that you can simplify the check and remove pg_database_ownercheck as there is already an ACL check on the database/system/schema at the top of the routine, so you are already sure that pg_database_ownercheck() or pg_namespace_ownercheck would return true. This shaves a few cycles as well for each relation checked. > I also noticed that this patch causes shared relations to be skipped > silently. Perhaps we should emit a WARNING or DEBUG message when this > happens, at least for REINDEXOPT_VERBOSE. That's intentional. I thought about that as well, but I am hesitant to do so as we don't bother mentioning the other relations skipped. REINDEX VERBOSE also shows up what are the tables processed, so it is easy to guess what are the tables skipped, still more painful. And the documentation changes added cover the gap. > I noticed that there is no mention that the owner of a schema can do > REINDEX SCHEMA, which seems important to note. Also, the proposed > wording might seem slightly ambiguous for the REINDEX DATABASE case. > It might be clearer to say something like the following: > > Reindexing a single index or table requires being the owner of > that index of table. REINDEX DATABASE and REINDEX SYSTEM > require being the owner of the database, and REINDEX SCHEMA > requires being the owner of the schema (note that the user can > therefore rebuild indexes of tables owned by other users). > Reindexing a shared catalog requires being the owner of the > shared catalog, even if the user is the owner of the specified > database or schema. Of course, superusers can always reindex > anything. +1, I have included your suggestions. The patch attached applies easily down to 9.5 where REINDEX SCHEMA was added. For 9.4 and 9.3, there is no schema case, still the new check is similar. The commit message is slightly changed so as there is no mention of REINDEX SCHEMA. 9.3 needs a slight change compared to 9.4 as well. So attached are patches for 9.5~master, 9.4 and 9.3 with commit messages. Does that look fine to folks of this thread? -- Michael
From d82e9df826b29bf9030dc97551bdd0bef894677d Mon Sep 17 00:00:00 2001 From: Michael Paquier <mich...@paquier.xyz> Date: Mon, 30 Jul 2018 09:29:32 +0900 Subject: [PATCH] Restrict access to reindex of shared catalogs for non-privileged users A database owner running a database-level REINDEX has the possibility to also do the operation on shared system catalogs without being an owner of them, which allows him to block resources it should not have access to. For example, PostgreSQL would go unresponsive and even block authentication if a lock is waited for pg_authid. This commit makes sure that a user running a REINDEX SYSTEM or DATABASE only works on the following relations: - The user is a superuser - The user is the table owner - The user is the database owner, only if the relation worked on is not shared. Reported-by: Lloyd Albin, Jeremy Schneider Author: Michael Paquier Reviewed by: Nathan Bossart, Kyotaro Horiguchi Discussion: https://postgr.es/m/152512087100.19803.12733865831237526...@wrigleys.postgresql.org --- doc/src/sgml/ref/reindex.sgml | 3 ++- src/backend/commands/indexcmds.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml index a795dfa325..001111c024 100644 --- a/doc/src/sgml/ref/reindex.sgml +++ b/doc/src/sgml/ref/reindex.sgml @@ -214,7 +214,8 @@ REINDEX { INDEX | TABLE | DATABASE | SYSTEM } <replaceable class="PARAMETER">nam Reindexing a single index or table requires being the owner of that index or table. Reindexing a database requires being the owner of the database (note that the owner can therefore rebuild indexes of - tables owned by other users). Of course, superusers can always + tables owned by other users). Reindexing a shared catalog requires + being the owner of that shared catalog. Of course, superusers can always reindex anything. </para> diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index fb51a79364..414c9cd66f 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -1873,6 +1873,17 @@ ReindexDatabase(const char *databaseName, bool do_system, bool do_user) continue; } + /* + * The table can be reindexed if the user is superuser, the table + * owner, or the database owner (but in the latter case, only if it's + * not a shared relation). pg_class_ownercheck includes the superuser + * case, and we already know that the user has permission to run + * REINDEX on this database. + */ + if (!pg_class_ownercheck(HeapTupleGetOid(tuple), GetUserId()) && + classtuple->relisshared) + continue; + if (HeapTupleGetOid(tuple) == RelationRelationId) continue; /* got it already */ -- 2.18.0
From 848c31a3fec109a55285e6c02e9122d394f787a3 Mon Sep 17 00:00:00 2001 From: Michael Paquier <mich...@paquier.xyz> Date: Mon, 30 Jul 2018 09:25:19 +0900 Subject: [PATCH] Restrict access to reindex of shared catalogs for non-privileged users A database owner running a database-level REINDEX has the possibility to also do the operation on shared system catalogs without being an owner of them, which allows him to block resources it should not have access to. For example, PostgreSQL would go unresponsive and even block authentication if a lock is waited for pg_authid. This commit makes sure that a user running a REINDEX SYSTEM or DATABASE only works on the following relations: - The user is a superuser - The user is the table owner - The user is the database owner, only if the relation worked on is not shared. Reported-by: Lloyd Albin, Jeremy Schneider Author: Michael Paquier Reviewed by: Nathan Bossart, Kyotaro Horiguchi Discussion: https://postgr.es/m/152512087100.19803.12733865831237526...@wrigleys.postgresql.org --- doc/src/sgml/ref/reindex.sgml | 3 ++- src/backend/commands/indexcmds.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml index cabae191bc..82f5dc1317 100644 --- a/doc/src/sgml/ref/reindex.sgml +++ b/doc/src/sgml/ref/reindex.sgml @@ -214,7 +214,8 @@ REINDEX { INDEX | TABLE | DATABASE | SYSTEM } <replaceable class="PARAMETER">nam Reindexing a single index or table requires being the owner of that index or table. Reindexing a database requires being the owner of the database (note that the owner can therefore rebuild indexes of - tables owned by other users). Of course, superusers can always + tables owned by other users). Reindexing a shared catalog requires + being the owner of that shared catalog. Of course, superusers can always reindex anything. </para> diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ee1fd0d51..97b38993d5 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -1869,6 +1869,17 @@ ReindexDatabase(const char *databaseName, bool do_system, bool do_user) continue; } + /* + * The table can be reindexed if the user is superuser, the table + * owner, or the database owner (but in the latter case, only if it's + * not a shared relation). pg_class_ownercheck includes the superuser + * case, and we already know that the user has permission to run + * REINDEX on this database. + */ + if (!pg_class_ownercheck(relid, GetUserId()) && + classtuple->relisshared) + continue; + if (HeapTupleGetOid(tuple) == RelationRelationId) continue; /* got it already */ -- 2.18.0
From ccabd709a8d34ef1f16dc018849c977bd9f5ab53 Mon Sep 17 00:00:00 2001 From: Michael Paquier <mich...@paquier.xyz> Date: Mon, 30 Jul 2018 09:13:37 +0900 Subject: [PATCH] Restrict access to reindex of shared catalogs for non-privileged users A database owner running a database-level REINDEX has the possibility to also do the operation on shared system catalogs without being an owner of them, which allows him to block resources it should not have access to. The same goes for a schema owner. For example, PostgreSQL would go unresponsive and even block authentication if a lock is waited for pg_authid. This commit makes sure that a user running a REINDEX SYSTEM, DATABASE or SCHEMA only works on the following relations: - The user is a superuser - The user is the table owner - The user is the database/schema owner, only if the relation worked on is not shared. Reported-by: Lloyd Albin, Jeremy Schneider Author: Michael Paquier Reviewed by: Nathan Bossart, Kyotaro Horiguchi Discussion: https://postgr.es/m/152512087100.19803.12733865831237526...@wrigleys.postgresql.org --- doc/src/sgml/ref/reindex.sgml | 10 +++++++--- src/backend/commands/indexcmds.c | 12 ++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml index 1c21fafb80..2ce103e788 100644 --- a/doc/src/sgml/ref/reindex.sgml +++ b/doc/src/sgml/ref/reindex.sgml @@ -225,9 +225,13 @@ REINDEX [ ( VERBOSE ) ] { INDEX | TABLE | SCHEMA | DATABASE | SYSTEM } <replacea <para> Reindexing a single index or table requires being the owner of that - index or table. Reindexing a database requires being the owner of - the database (note that the owner can therefore rebuild indexes of - tables owned by other users). Of course, superusers can always + index or table. <command>REINDEX DATABASE</command> and + <command>REINDEX SYSTEM</command> require being the owner of + the database (note that the owner can therefore rebuild indexes of tables + owned by other users). <command>REINDEX SCHEMA</command> requires + being the owner of the schema. Reindexing a shared catalog requires + being the owner of that shared catalog, even if the user is the owner + of the specified schema or database. Of course, superusers can always reindex anything. </para> diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index b9dad9672e..0cb4656aab 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -2415,6 +2415,18 @@ ReindexMultipleTables(const char *objectName, ReindexObjectType objectKind, !IsSystemClass(relid, classtuple)) continue; + /* + * The table can be reindexed if the user is superuser, the table + * owner, or the database/schema owner (but in the latter case, only + * if it's not a shared relation). pg_class_ownercheck includes the + * superuser case, and depending on objectKind we already know that + * the user has permission to run REINDEX on this database or schema + * per the permission checks at the beginning of this routine. + */ + if (!pg_class_ownercheck(relid, GetUserId()) && + classtuple->relisshared) + continue; + /* Save the list of relation OIDs in private context */ old = MemoryContextSwitchTo(private_context); -- 2.18.0
signature.asc
Description: PGP signature
