Fix search_path to a safe value during maintenance operations.

While executing maintenance operations (ANALYZE, CLUSTER, REFRESH MATERIALIZED VIEW, REINDEX, or VACUUM), set search_path to 'pg_catalog, pg_temp' to prevent inconsistent behavior. Functions that are used for functional indexes, in index expressions, or in materialized views and depend on a different search path must be declared with CREATE FUNCTION ... SET search_path='...'. This change addresses a security risk introduced in commit 60684dd834, where a role with MAINTAIN privileges on a table may be able to escalate privileges to the table owner. That commit is not yet part of any release, so no need to backpatch. Discussion: https://postgr.es/m/e44327179e5c9015c8dda67351c04da552066017.camel%40j-davis.com Reviewed-by: Greg Stark Reviewed-by: Nathan Bossart
author: Jeff Davis 2023-06-09 18:20:47 +0000
committer: Jeff Davis 2023-06-09 18:20:47 +0000
commit: 05e17373517114167d002494e004fa0aa32d1fd1 (patch)
tree: 2d96a124ad8a75d5d717d930f634c985f48e4166 /contrib/amcheck/verify_nbtree.c
parent: 9aee26a491ba9b7ceff40e6192183ab7200b6bfb (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/contrib/amcheck/verify_nbtree.c b/contrib/amcheck/verify_nbtree.c
index 6979aff727b..2b5c8a300b0 100644
--- a/contrib/amcheck/verify_nbtree.c
+++ b/contrib/amcheck/verify_nbtree.c
@@ -282,6 +282,8 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
 		SetUserIdAndSecContext(heaprel->rd_rel->relowner,
 							   save_sec_context | SECURITY_RESTRICTED_OPERATION);
 		save_nestlevel = NewGUCNestLevel();
+		SetConfigOption("search_path", GUC_SAFE_SEARCH_PATH, PGC_USERSET,
+						PGC_S_SESSION);
 	}
 	else
 	{
author	Jeff Davis	2023-06-09 18:20:47 +0000
committer	Jeff Davis	2023-06-09 18:20:47 +0000
commit	05e17373517114167d002494e004fa0aa32d1fd1 (patch)
tree	2d96a124ad8a75d5d717d930f634c985f48e4166 /contrib/amcheck/verify_nbtree.c
parent	9aee26a491ba9b7ceff40e6192183ab7200b6bfb (diff)