From 848c31a3fec109a55285e6c02e9122d394f787a3 Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Mon, 30 Jul 2018 09:25:19 +0900 Subject: [PATCH] Restrict access to reindex of shared catalogs for non-privileged users A database owner running a database-level REINDEX has the possibility to also do the operation on shared system catalogs without being an owner of them, which allows him to block resources it should not have access to. For example, PostgreSQL would go unresponsive and even block authentication if a lock is waited for pg_authid. This commit makes sure that a user running a REINDEX SYSTEM or DATABASE only works on the following relations: - The user is a superuser - The user is the table owner - The user is the database owner, only if the relation worked on is not shared. Reported-by: Lloyd Albin, Jeremy Schneider Author: Michael Paquier Reviewed by: Nathan Bossart, Kyotaro Horiguchi Discussion: https://postgr.es/m/152512087100.19803.12733865831237526317@wrigleys.postgresql.org --- doc/src/sgml/ref/reindex.sgml | 3 ++- src/backend/commands/indexcmds.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ref/reindex.sgml b/doc/src/sgml/ref/reindex.sgml index cabae191bc..82f5dc1317 100644 --- a/doc/src/sgml/ref/reindex.sgml +++ b/doc/src/sgml/ref/reindex.sgml @@ -214,7 +214,8 @@ REINDEX { INDEX | TABLE | DATABASE | SYSTEM } nam Reindexing a single index or table requires being the owner of that index or table. Reindexing a database requires being the owner of the database (note that the owner can therefore rebuild indexes of - tables owned by other users). Of course, superusers can always + tables owned by other users). Reindexing a shared catalog requires + being the owner of that shared catalog. Of course, superusers can always reindex anything. diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ee1fd0d51..97b38993d5 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -1869,6 +1869,17 @@ ReindexDatabase(const char *databaseName, bool do_system, bool do_user) continue; } + /* + * The table can be reindexed if the user is superuser, the table + * owner, or the database owner (but in the latter case, only if it's + * not a shared relation). pg_class_ownercheck includes the superuser + * case, and we already know that the user has permission to run + * REINDEX on this database. + */ + if (!pg_class_ownercheck(relid, GetUserId()) && + classtuple->relisshared) + continue; + if (HeapTupleGetOid(tuple) == RelationRelationId) continue; /* got it already */ -- 2.18.0