agora inbox for [email protected]help / color / mirror / Atom feed
[PATCH v3 4/4] run pgindent 94+ messages / 2 participants [nested] [flat]
* [PATCH v3 4/4] run pgindent @ 2026-05-06 21:43 Nathan Bossart <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Nathan Bossart @ 2026-05-06 21:43 UTC (permalink / raw) --- src/bin/pg_dump/pg_dump.c | 457 ++++++++++++------------ src/bin/pg_dump/pg_dumpall.c | 30 +- src/bin/pg_upgrade/check.c | 16 +- src/bin/pg_upgrade/exec.c | 8 +- src/bin/pg_upgrade/multixact_rewrite.c | 80 ++--- src/bin/pg_upgrade/pg_upgrade.c | 2 +- src/bin/pg_upgrade/relfilenumber.c | 54 +-- src/bin/psql/command.c | 29 +- src/bin/psql/describe.c | 461 ++++++++++++------------- 9 files changed, 567 insertions(+), 570 deletions(-) diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c index eed9aaeb7c1..c05623b1889 100644 --- a/src/bin/pg_dump/pg_dump.c +++ b/src/bin/pg_dump/pg_dump.c @@ -1491,8 +1491,8 @@ setup_connection(Archive *AH, const char *dumpencoding, * Disable timeouts if supported. */ ExecuteSqlStatement(AH, "SET statement_timeout = 0"); - ExecuteSqlStatement(AH, "SET lock_timeout = 0"); - ExecuteSqlStatement(AH, "SET idle_in_transaction_session_timeout = 0"); + ExecuteSqlStatement(AH, "SET lock_timeout = 0"); + ExecuteSqlStatement(AH, "SET idle_in_transaction_session_timeout = 0"); if (AH->remoteVersion >= 170000) ExecuteSqlStatement(AH, "SET transaction_timeout = 0"); @@ -1505,10 +1505,10 @@ setup_connection(Archive *AH, const char *dumpencoding, /* * Adjust row-security mode, if supported. */ - if (dopt->enable_row_security) - ExecuteSqlStatement(AH, "SET row_security = on"); - else - ExecuteSqlStatement(AH, "SET row_security = off"); + if (dopt->enable_row_security) + ExecuteSqlStatement(AH, "SET row_security = on"); + else + ExecuteSqlStatement(AH, "SET row_security = off"); /* * For security reasons, we restrict the expansion of non-system views and @@ -1955,7 +1955,7 @@ checkExtensionMembership(DumpableObject *dobj, Archive *fout) if (fout->dopt->binary_upgrade) dobj->dump = ext->dobj.dump; else - dobj->dump = ext->dobj.dump_contains & (DUMP_COMPONENT_ACL); + dobj->dump = ext->dobj.dump_contains & (DUMP_COMPONENT_ACL); return true; } @@ -1989,9 +1989,9 @@ selectDumpableNamespace(NamespaceInfo *nsinfo, Archive *fout) else if (strcmp(nsinfo->dobj.name, "pg_catalog") == 0) { /* - * We dump out any ACLs defined in pg_catalog, if - * they are interesting (and not the original ACLs which were set at - * initdb time, see pg_init_privs). + * We dump out any ACLs defined in pg_catalog, if they are interesting + * (and not the original ACLs which were set at initdb time, see + * pg_init_privs). */ nsinfo->dobj.dump_contains = nsinfo->dobj.dump = DUMP_COMPONENT_ACL; } @@ -3298,7 +3298,7 @@ dumpDatabase(Archive *fout) "datcollate, datctype, datfrozenxid, " "datacl, acldefault('d', datdba) AS acldefault, " "datistemplate, datconnlimit, "); - appendPQExpBufferStr(dbQry, "datminmxid, "); + appendPQExpBufferStr(dbQry, "datminmxid, "); if (fout->remoteVersion >= 170000) appendPQExpBufferStr(dbQry, "datlocprovider, datlocale, datcollversion, "); else if (fout->remoteVersion >= 150000) @@ -3640,11 +3640,11 @@ dumpDatabase(Archive *fout) ii_oid, ii_relminmxid; - appendPQExpBuffer(loFrozenQry, "SELECT relfrozenxid, relminmxid, relfilenode, oid\n" - "FROM pg_catalog.pg_class\n" - "WHERE oid IN (%u, %u, %u, %u);\n", - LargeObjectRelationId, LargeObjectLOidPNIndexId, - LargeObjectMetadataRelationId, LargeObjectMetadataOidIndexId); + appendPQExpBuffer(loFrozenQry, "SELECT relfrozenxid, relminmxid, relfilenode, oid\n" + "FROM pg_catalog.pg_class\n" + "WHERE oid IN (%u, %u, %u, %u);\n", + LargeObjectRelationId, LargeObjectLOidPNIndexId, + LargeObjectMetadataRelationId, LargeObjectMetadataOidIndexId); lo_res = ExecuteSqlQuery(fout, loFrozenQry->data, PGRES_TUPLES_OK); @@ -4276,7 +4276,7 @@ getPolicies(Archive *fout, TableInfo tblinfo[], int numTables) printfPQExpBuffer(query, "SELECT pol.oid, pol.tableoid, pol.polrelid, pol.polname, pol.polcmd, "); - appendPQExpBufferStr(query, "pol.polpermissive, "); + appendPQExpBufferStr(query, "pol.polpermissive, "); appendPQExpBuffer(query, "CASE WHEN pol.polroles = '{0}' THEN NULL ELSE " " pg_catalog.array_to_string(ARRAY(SELECT pg_catalog.quote_ident(rolname) from pg_catalog.pg_roles WHERE oid = ANY(pol.polroles)), ', ') END AS polroles, " @@ -6635,9 +6635,9 @@ getAccessMethods(Archive *fout) * Select all access methods from pg_am table. */ appendPQExpBufferStr(query, "SELECT tableoid, oid, amname, "); - appendPQExpBufferStr(query, - "amtype, " - "amhandler::pg_catalog.regproc AS amhandler "); + appendPQExpBufferStr(query, + "amtype, " + "amhandler::pg_catalog.regproc AS amhandler "); appendPQExpBufferStr(query, "FROM pg_am"); res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK); @@ -6829,35 +6829,35 @@ getAggregates(Archive *fout) * Find all interesting aggregates. See comment in getFuncs() for the * rationale behind the filtering logic. */ - agg_check = (fout->remoteVersion >= 110000 ? "p.prokind = 'a'" - : "p.proisagg"); + agg_check = (fout->remoteVersion >= 110000 ? "p.prokind = 'a'" + : "p.proisagg"); - appendPQExpBuffer(query, "SELECT p.tableoid, p.oid, " - "p.proname AS aggname, " - "p.pronamespace AS aggnamespace, " - "p.pronargs, p.proargtypes, " - "p.proowner, " - "p.proacl AS aggacl, " - "acldefault('f', p.proowner) AS acldefault " - "FROM pg_proc p " - "LEFT JOIN pg_init_privs pip ON " - "(p.oid = pip.objoid " - "AND pip.classoid = 'pg_proc'::regclass " - "AND pip.objsubid = 0) " - "WHERE %s AND (" - "p.pronamespace != " - "(SELECT oid FROM pg_namespace " - "WHERE nspname = 'pg_catalog') OR " - "p.proacl IS DISTINCT FROM pip.initprivs", - agg_check); - if (dopt->binary_upgrade) - appendPQExpBufferStr(query, - " OR EXISTS(SELECT 1 FROM pg_depend WHERE " - "classid = 'pg_proc'::regclass AND " - "objid = p.oid AND " - "refclassid = 'pg_extension'::regclass AND " - "deptype = 'e')"); - appendPQExpBufferChar(query, ')'); + appendPQExpBuffer(query, "SELECT p.tableoid, p.oid, " + "p.proname AS aggname, " + "p.pronamespace AS aggnamespace, " + "p.pronargs, p.proargtypes, " + "p.proowner, " + "p.proacl AS aggacl, " + "acldefault('f', p.proowner) AS acldefault " + "FROM pg_proc p " + "LEFT JOIN pg_init_privs pip ON " + "(p.oid = pip.objoid " + "AND pip.classoid = 'pg_proc'::regclass " + "AND pip.objsubid = 0) " + "WHERE %s AND (" + "p.pronamespace != " + "(SELECT oid FROM pg_namespace " + "WHERE nspname = 'pg_catalog') OR " + "p.proacl IS DISTINCT FROM pip.initprivs", + agg_check); + if (dopt->binary_upgrade) + appendPQExpBufferStr(query, + " OR EXISTS(SELECT 1 FROM pg_depend WHERE " + "classid = 'pg_proc'::regclass AND " + "objid = p.oid AND " + "refclassid = 'pg_extension'::regclass AND " + "deptype = 'e')"); + appendPQExpBufferChar(query, ')'); res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK); @@ -6959,53 +6959,53 @@ getFuncs(Archive *fout) * include them, since we want to dump extension members individually in * that mode. Also, if they are used by casts or transforms then we need * to gather the information about them, though they won't be dumped if - * they are built-in. Also, include functions in - * pg_catalog if they have an ACL different from what's shown in - * pg_init_privs (so we have to join to pg_init_privs; annoying). + * they are built-in. Also, include functions in pg_catalog if they have + * an ACL different from what's shown in pg_init_privs (so we have to join + * to pg_init_privs; annoying). */ - not_agg_check = (fout->remoteVersion >= 110000 ? "p.prokind <> 'a'" - : "NOT p.proisagg"); + not_agg_check = (fout->remoteVersion >= 110000 ? "p.prokind <> 'a'" + : "NOT p.proisagg"); - appendPQExpBuffer(query, - "SELECT p.tableoid, p.oid, p.proname, p.prolang, " - "p.pronargs, p.proargtypes, p.prorettype, " - "p.proacl, " - "acldefault('f', p.proowner) AS acldefault, " - "p.pronamespace, " - "p.proowner " - "FROM pg_proc p " - "LEFT JOIN pg_init_privs pip ON " - "(p.oid = pip.objoid " - "AND pip.classoid = 'pg_proc'::regclass " - "AND pip.objsubid = 0) " - "WHERE %s" - "\n AND NOT EXISTS (SELECT 1 FROM pg_depend " - "WHERE classid = 'pg_proc'::regclass AND " - "objid = p.oid AND deptype = 'i')" - "\n AND (" - "\n pronamespace != " - "(SELECT oid FROM pg_namespace " - "WHERE nspname = 'pg_catalog')" - "\n OR EXISTS (SELECT 1 FROM pg_cast" - "\n WHERE pg_cast.oid > %u " - "\n AND p.oid = pg_cast.castfunc)" - "\n OR EXISTS (SELECT 1 FROM pg_transform" - "\n WHERE pg_transform.oid > %u AND " - "\n (p.oid = pg_transform.trffromsql" - "\n OR p.oid = pg_transform.trftosql))", - not_agg_check, - g_last_builtin_oid, - g_last_builtin_oid); - if (dopt->binary_upgrade) - appendPQExpBufferStr(query, - "\n OR EXISTS(SELECT 1 FROM pg_depend WHERE " - "classid = 'pg_proc'::regclass AND " - "objid = p.oid AND " - "refclassid = 'pg_extension'::regclass AND " - "deptype = 'e')"); + appendPQExpBuffer(query, + "SELECT p.tableoid, p.oid, p.proname, p.prolang, " + "p.pronargs, p.proargtypes, p.prorettype, " + "p.proacl, " + "acldefault('f', p.proowner) AS acldefault, " + "p.pronamespace, " + "p.proowner " + "FROM pg_proc p " + "LEFT JOIN pg_init_privs pip ON " + "(p.oid = pip.objoid " + "AND pip.classoid = 'pg_proc'::regclass " + "AND pip.objsubid = 0) " + "WHERE %s" + "\n AND NOT EXISTS (SELECT 1 FROM pg_depend " + "WHERE classid = 'pg_proc'::regclass AND " + "objid = p.oid AND deptype = 'i')" + "\n AND (" + "\n pronamespace != " + "(SELECT oid FROM pg_namespace " + "WHERE nspname = 'pg_catalog')" + "\n OR EXISTS (SELECT 1 FROM pg_cast" + "\n WHERE pg_cast.oid > %u " + "\n AND p.oid = pg_cast.castfunc)" + "\n OR EXISTS (SELECT 1 FROM pg_transform" + "\n WHERE pg_transform.oid > %u AND " + "\n (p.oid = pg_transform.trffromsql" + "\n OR p.oid = pg_transform.trftosql))", + not_agg_check, + g_last_builtin_oid, + g_last_builtin_oid); + if (dopt->binary_upgrade) appendPQExpBufferStr(query, - "\n OR p.proacl IS DISTINCT FROM pip.initprivs"); - appendPQExpBufferChar(query, ')'); + "\n OR EXISTS(SELECT 1 FROM pg_depend WHERE " + "classid = 'pg_proc'::regclass AND " + "objid = p.oid AND " + "refclassid = 'pg_extension'::regclass AND " + "deptype = 'e')"); + appendPQExpBufferStr(query, + "\n OR p.proacl IS DISTINCT FROM pip.initprivs"); + appendPQExpBufferChar(query, ')'); res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK); @@ -7254,31 +7254,31 @@ getTables(Archive *fout, int *numTables) appendPQExpBufferStr(query, "c.relhasoids, "); - appendPQExpBufferStr(query, - "c.relispopulated, "); + appendPQExpBufferStr(query, + "c.relispopulated, "); - appendPQExpBufferStr(query, - "c.relreplident, "); + appendPQExpBufferStr(query, + "c.relreplident, "); - appendPQExpBufferStr(query, - "c.relrowsecurity, c.relforcerowsecurity, "); + appendPQExpBufferStr(query, + "c.relrowsecurity, c.relforcerowsecurity, "); - appendPQExpBufferStr(query, - "c.relminmxid, tc.relminmxid AS tminmxid, "); + appendPQExpBufferStr(query, + "c.relminmxid, tc.relminmxid AS tminmxid, "); - appendPQExpBufferStr(query, - "array_remove(array_remove(c.reloptions,'check_option=local'),'check_option=cascaded') AS reloptions, " - "CASE WHEN 'check_option=local' = ANY (c.reloptions) THEN 'LOCAL'::text " - "WHEN 'check_option=cascaded' = ANY (c.reloptions) THEN 'CASCADED'::text ELSE NULL END AS checkoption, "); + appendPQExpBufferStr(query, + "array_remove(array_remove(c.reloptions,'check_option=local'),'check_option=cascaded') AS reloptions, " + "CASE WHEN 'check_option=local' = ANY (c.reloptions) THEN 'LOCAL'::text " + "WHEN 'check_option=cascaded' = ANY (c.reloptions) THEN 'CASCADED'::text ELSE NULL END AS checkoption, "); - appendPQExpBufferStr(query, - "am.amname, "); + appendPQExpBufferStr(query, + "am.amname, "); - appendPQExpBufferStr(query, - "(d.deptype = 'i') IS TRUE AS is_identity_sequence, "); + appendPQExpBufferStr(query, + "(d.deptype = 'i') IS TRUE AS is_identity_sequence, "); - appendPQExpBufferStr(query, - "c.relispartition AS ispartition "); + appendPQExpBufferStr(query, + "c.relispartition AS ispartition "); /* * Left join to pg_depend to pick up dependency info linking sequences to @@ -7298,8 +7298,8 @@ getTables(Archive *fout, int *numTables) /* * Left join to pg_am to pick up the amname. */ - appendPQExpBufferStr(query, - "LEFT JOIN pg_am am ON (c.relam = am.oid)\n"); + appendPQExpBufferStr(query, + "LEFT JOIN pg_am am ON (c.relam = am.oid)\n"); /* * We purposefully ignore toast OIDs for partitioned tables; the reason is @@ -7870,8 +7870,8 @@ getIndexes(Archive *fout, TableInfo tblinfo[], int numTables) "t.reloptions AS indreloptions, "); - appendPQExpBufferStr(query, - "i.indisreplident, "); + appendPQExpBufferStr(query, + "i.indisreplident, "); if (fout->remoteVersion >= 110000) appendPQExpBufferStr(query, @@ -9315,8 +9315,8 @@ getTableAttrs(Archive *fout, TableInfo *tblinfo, int numTables) appendPQExpBufferStr(q, "'' AS attcompression,\n"); - appendPQExpBufferStr(q, - "a.attidentity,\n"); + appendPQExpBufferStr(q, + "a.attidentity,\n"); if (fout->remoteVersion >= 110000) appendPQExpBufferStr(q, @@ -10719,73 +10719,73 @@ getAdditionalACLs(Archive *fout) PQclear(res); /* Fetch initial-privileges data */ - printfPQExpBuffer(query, - "SELECT objoid, classoid, objsubid, privtype, initprivs " - "FROM pg_init_privs"); + printfPQExpBuffer(query, + "SELECT objoid, classoid, objsubid, privtype, initprivs " + "FROM pg_init_privs"); - res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK); + res = ExecuteSqlQuery(fout, query->data, PGRES_TUPLES_OK); - ntups = PQntuples(res); - for (i = 0; i < ntups; i++) - { - Oid objoid = atooid(PQgetvalue(res, i, 0)); - Oid classoid = atooid(PQgetvalue(res, i, 1)); - int objsubid = atoi(PQgetvalue(res, i, 2)); - char privtype = *(PQgetvalue(res, i, 3)); - char *initprivs = PQgetvalue(res, i, 4); - CatalogId objId; - DumpableObject *dobj; + ntups = PQntuples(res); + for (i = 0; i < ntups; i++) + { + Oid objoid = atooid(PQgetvalue(res, i, 0)); + Oid classoid = atooid(PQgetvalue(res, i, 1)); + int objsubid = atoi(PQgetvalue(res, i, 2)); + char privtype = *(PQgetvalue(res, i, 3)); + char *initprivs = PQgetvalue(res, i, 4); + CatalogId objId; + DumpableObject *dobj; - objId.tableoid = classoid; - objId.oid = objoid; - dobj = findObjectByCatalogId(objId); - /* OK to ignore entries we haven't got a DumpableObject for */ - if (dobj) + objId.tableoid = classoid; + objId.oid = objoid; + dobj = findObjectByCatalogId(objId); + /* OK to ignore entries we haven't got a DumpableObject for */ + if (dobj) + { + /* Cope with sub-object initprivs */ + if (objsubid != 0) { - /* Cope with sub-object initprivs */ - if (objsubid != 0) - { - if (dobj->objType == DO_TABLE) - { - /* For a column initprivs, set the table's ACL flags */ - dobj->components |= DUMP_COMPONENT_ACL; - ((TableInfo *) dobj)->hascolumnACLs = true; - } - else - pg_log_warning("unsupported pg_init_privs entry: %u %u %d", - classoid, objoid, objsubid); - continue; - } - - /* - * We ignore any pg_init_privs.initprivs entry for the public - * schema, as explained in getNamespaces(). - */ - if (dobj->objType == DO_NAMESPACE && - strcmp(dobj->name, "public") == 0) - continue; - - /* Else it had better be of a type we think has ACLs */ - if (dobj->objType == DO_NAMESPACE || - dobj->objType == DO_TYPE || - dobj->objType == DO_FUNC || - dobj->objType == DO_AGG || - dobj->objType == DO_TABLE || - dobj->objType == DO_PROCLANG || - dobj->objType == DO_FDW || - dobj->objType == DO_FOREIGN_SERVER) + if (dobj->objType == DO_TABLE) { - DumpableObjectWithAcl *daobj = (DumpableObjectWithAcl *) dobj; - - daobj->dacl.privtype = privtype; - daobj->dacl.initprivs = pstrdup(initprivs); + /* For a column initprivs, set the table's ACL flags */ + dobj->components |= DUMP_COMPONENT_ACL; + ((TableInfo *) dobj)->hascolumnACLs = true; } else pg_log_warning("unsupported pg_init_privs entry: %u %u %d", classoid, objoid, objsubid); + continue; + } + + /* + * We ignore any pg_init_privs.initprivs entry for the public + * schema, as explained in getNamespaces(). + */ + if (dobj->objType == DO_NAMESPACE && + strcmp(dobj->name, "public") == 0) + continue; + + /* Else it had better be of a type we think has ACLs */ + if (dobj->objType == DO_NAMESPACE || + dobj->objType == DO_TYPE || + dobj->objType == DO_FUNC || + dobj->objType == DO_AGG || + dobj->objType == DO_TABLE || + dobj->objType == DO_PROCLANG || + dobj->objType == DO_FDW || + dobj->objType == DO_FOREIGN_SERVER) + { + DumpableObjectWithAcl *daobj = (DumpableObjectWithAcl *) dobj; + + daobj->dacl.privtype = privtype; + daobj->dacl.initprivs = pstrdup(initprivs); } + else + pg_log_warning("unsupported pg_init_privs entry: %u %u %d", + classoid, objoid, objsubid); } - PQclear(res); + } + PQclear(res); destroyPQExpBuffer(query); } @@ -11130,8 +11130,8 @@ dumpRelationStats_dumper(Archive *fout, const void *userArg, const TocEntry *te) * The results must be in the order of the relations supplied in the * parameters to ensure we remain in sync as we walk through the TOC. * - * For versions before 19, the redundant filter clause on s.tablename = - * ANY(...) seems sufficient to convince the planner to use + * For versions before 19, the redundant filter clause on s.tablename + * = ANY(...) seems sufficient to convince the planner to use * pg_class_relname_nsp_index, which avoids a full scan of pg_stats. * In newer versions, pg_stats returns the table OIDs, eliminating the * need for that hack. @@ -13471,11 +13471,11 @@ dumpFunc(Archive *fout, const FuncInfo *finfo) "pg_catalog.pg_get_function_result(p.oid) AS funcresult,\n" "proleakproof,\n"); - appendPQExpBufferStr(query, - "array_to_string(protrftypes, ' ') AS protrftypes,\n"); + appendPQExpBufferStr(query, + "array_to_string(protrftypes, ' ') AS protrftypes,\n"); - appendPQExpBufferStr(query, - "proparallel,\n"); + appendPQExpBufferStr(query, + "proparallel,\n"); if (fout->remoteVersion >= 110000) appendPQExpBufferStr(query, @@ -14965,9 +14965,9 @@ dumpCollation(Archive *fout, const CollInfo *collinfo) /* Get collation-specific details */ appendPQExpBufferStr(query, "SELECT "); - appendPQExpBufferStr(query, - "collprovider, " - "collversion, "); + appendPQExpBufferStr(query, + "collprovider, " + "collversion, "); if (fout->remoteVersion >= 120000) appendPQExpBufferStr(query, @@ -15374,23 +15374,23 @@ dumpAgg(Archive *fout, const AggInfo *agginfo) "pg_catalog.pg_get_function_arguments(p.oid) AS funcargs,\n" "pg_catalog.pg_get_function_identity_arguments(p.oid) AS funciargs,\n"); - appendPQExpBufferStr(query, - "aggkind,\n" - "aggmtransfn,\n" - "aggminvtransfn,\n" - "aggmfinalfn,\n" - "aggmtranstype::pg_catalog.regtype,\n" - "aggfinalextra,\n" - "aggmfinalextra,\n" - "aggtransspace,\n" - "aggmtransspace,\n" - "aggminitval,\n"); + appendPQExpBufferStr(query, + "aggkind,\n" + "aggmtransfn,\n" + "aggminvtransfn,\n" + "aggmfinalfn,\n" + "aggmtranstype::pg_catalog.regtype,\n" + "aggfinalextra,\n" + "aggmfinalextra,\n" + "aggtransspace,\n" + "aggmtransspace,\n" + "aggminitval,\n"); - appendPQExpBufferStr(query, - "aggcombinefn,\n" - "aggserialfn,\n" - "aggdeserialfn,\n" - "proparallel,\n"); + appendPQExpBufferStr(query, + "aggcombinefn,\n" + "aggserialfn,\n" + "aggdeserialfn,\n" + "proparallel,\n"); if (fout->remoteVersion >= 110000) appendPQExpBufferStr(query, @@ -16850,30 +16850,30 @@ dumpTable(Archive *fout, const TableInfo *tbinfo) appendPQExpBufferStr(query, "PREPARE getColumnACLs(pg_catalog.oid) AS\n"); - /* - * In principle we should call acldefault('c', relowner) to - * get the default ACL for a column. However, we don't - * currently store the numeric OID of the relowner in - * TableInfo. We could convert the owner name using regrole, - * but that creates a risk of failure due to concurrent role - * renames. Given that the default ACL for columns is empty - * and is likely to stay that way, it's not worth extra cycles - * and risk to avoid hard-wiring that knowledge here. - */ - appendPQExpBufferStr(query, - "SELECT at.attname, " - "at.attacl, " - "'{}' AS acldefault, " - "pip.privtype, pip.initprivs " - "FROM pg_catalog.pg_attribute at " - "LEFT JOIN pg_catalog.pg_init_privs pip ON " - "(at.attrelid = pip.objoid " - "AND pip.classoid = 'pg_catalog.pg_class'::pg_catalog.regclass " - "AND at.attnum = pip.objsubid) " - "WHERE at.attrelid = $1 AND " - "NOT at.attisdropped " - "AND (at.attacl IS NOT NULL OR pip.initprivs IS NOT NULL) " - "ORDER BY at.attnum"); + /* + * In principle we should call acldefault('c', relowner) to get + * the default ACL for a column. However, we don't currently + * store the numeric OID of the relowner in TableInfo. We could + * convert the owner name using regrole, but that creates a risk + * of failure due to concurrent role renames. Given that the + * default ACL for columns is empty and is likely to stay that + * way, it's not worth extra cycles and risk to avoid hard-wiring + * that knowledge here. + */ + appendPQExpBufferStr(query, + "SELECT at.attname, " + "at.attacl, " + "'{}' AS acldefault, " + "pip.privtype, pip.initprivs " + "FROM pg_catalog.pg_attribute at " + "LEFT JOIN pg_catalog.pg_init_privs pip ON " + "(at.attrelid = pip.objoid " + "AND pip.classoid = 'pg_catalog.pg_class'::pg_catalog.regclass " + "AND at.attnum = pip.objsubid) " + "WHERE at.attrelid = $1 AND " + "NOT at.attisdropped " + "AND (at.attacl IS NOT NULL OR pip.initprivs IS NOT NULL) " + "ORDER BY at.attnum"); ExecuteSqlStatement(fout, query->data); @@ -19167,7 +19167,7 @@ collectSequences(Archive *fout) * pg_get_sequence_data(), but we only do so for non-schema-only dumps. */ if (fout->remoteVersion < 180000 || - (!fout->dopt->dumpData && !fout->dopt->sequence_data)) + (!fout->dopt->dumpData && !fout->dopt->sequence_data)) query = "SELECT seqrelid, format_type(seqtypid, NULL), " "seqstart, seqincrement, " "seqmax, seqmin, " @@ -19229,15 +19229,14 @@ dumpSequence(Archive *fout, const TableInfo *tbinfo) qseqname = pg_strdup(fmtId(tbinfo->dobj.name)); /* - * The sequence information is gathered in a sorted - * table before any calls to dumpSequence(). See collectSequences() for - * more information. + * The sequence information is gathered in a sorted table before any calls + * to dumpSequence(). See collectSequences() for more information. */ - Assert(sequences); + Assert(sequences); - key.oid = tbinfo->dobj.catId.oid; - seq = bsearch(&key, sequences, nsequences, - sizeof(SequenceItem), SequenceItemCmp); + key.oid = tbinfo->dobj.catId.oid; + seq = bsearch(&key, sequences, nsequences, + sizeof(SequenceItem), SequenceItemCmp); /* Calculate default limits for a sequence of this type */ is_ascending = (seq->incby >= 0); diff --git a/src/bin/pg_dump/pg_dumpall.c b/src/bin/pg_dump/pg_dumpall.c index 5b10f7122b7..3f61196671c 100644 --- a/src/bin/pg_dump/pg_dumpall.c +++ b/src/bin/pg_dump/pg_dumpall.c @@ -954,11 +954,11 @@ dropRoles(PGconn *conn) int i_rolname; int i; - printfPQExpBuffer(buf, - "SELECT rolname " - "FROM %s " - "WHERE rolname !~ '^pg_' " - "ORDER BY 1", role_catalog); + printfPQExpBuffer(buf, + "SELECT rolname " + "FROM %s " + "WHERE rolname !~ '^pg_' " + "ORDER BY 1", role_catalog); res = executeQuery(conn, buf->data); @@ -1035,16 +1035,16 @@ dumpRoles(PGconn *conn) * Notes: rolconfig is dumped later, and pg_authid must be used for * extracting rolcomment regardless of role_catalog. */ - printfPQExpBuffer(buf, - "SELECT oid, rolname, rolsuper, rolinherit, " - "rolcreaterole, rolcreatedb, " - "rolcanlogin, rolconnlimit, rolpassword, " - "rolvaliduntil, rolreplication, rolbypassrls, " - "pg_catalog.shobj_description(oid, 'pg_authid') as rolcomment, " - "rolname = current_user AS is_current_user " - "FROM %s " - "WHERE rolname !~ '^pg_' " - "ORDER BY 2", role_catalog); + printfPQExpBuffer(buf, + "SELECT oid, rolname, rolsuper, rolinherit, " + "rolcreaterole, rolcreatedb, " + "rolcanlogin, rolconnlimit, rolpassword, " + "rolvaliduntil, rolreplication, rolbypassrls, " + "pg_catalog.shobj_description(oid, 'pg_authid') as rolcomment, " + "rolname = current_user AS is_current_user " + "FROM %s " + "WHERE rolname !~ '^pg_' " + "ORDER BY 2", role_catalog); res = executeQuery(conn, buf->data); diff --git a/src/bin/pg_upgrade/check.c b/src/bin/pg_upgrade/check.c index 0813cef2729..5f63e2114c8 100644 --- a/src/bin/pg_upgrade/check.c +++ b/src/bin/pg_upgrade/check.c @@ -1475,15 +1475,15 @@ check_for_incompatible_polymorphics(ClusterInfo *cluster) ", 'array_cat(anyarray,anyarray)'" ", 'array_prepend(anyelement,anyarray)'"); - appendPQExpBufferStr(&old_polymorphics, - ", 'array_remove(anyarray,anyelement)'" - ", 'array_replace(anyarray,anyelement,anyelement)'"); + appendPQExpBufferStr(&old_polymorphics, + ", 'array_remove(anyarray,anyelement)'" + ", 'array_replace(anyarray,anyelement,anyelement)'"); - appendPQExpBufferStr(&old_polymorphics, - ", 'array_position(anyarray,anyelement)'" - ", 'array_position(anyarray,anyelement,integer)'" - ", 'array_positions(anyarray,anyelement)'" - ", 'width_bucket(anyelement,anyarray)'"); + appendPQExpBufferStr(&old_polymorphics, + ", 'array_position(anyarray,anyelement)'" + ", 'array_position(anyarray,anyelement,integer)'" + ", 'array_positions(anyarray,anyelement)'" + ", 'width_bucket(anyelement,anyarray)'"); /* * The query below hardcodes FirstNormalObjectId as 16384 rather than diff --git a/src/bin/pg_upgrade/exec.c b/src/bin/pg_upgrade/exec.c index 479557abdcc..9a675929e17 100644 --- a/src/bin/pg_upgrade/exec.c +++ b/src/bin/pg_upgrade/exec.c @@ -55,7 +55,7 @@ get_bin_version(ClusterInfo *cluster) if (sscanf(cmd_output, "%*s %*s %d.%d", &v1, &v2) < 1) pg_fatal("could not get pg_ctl version output from %s", cmd); - cluster->bin_version = v1 * 10000; + cluster->bin_version = v1 * 10000; } @@ -344,8 +344,8 @@ check_data_dir(ClusterInfo *cluster) check_single_dir(pg_data, "pg_subtrans"); check_single_dir(pg_data, PG_TBLSPC_DIR); check_single_dir(pg_data, "pg_twophase"); - check_single_dir(pg_data, "pg_wal"); - check_single_dir(pg_data, "pg_xact"); + check_single_dir(pg_data, "pg_wal"); + check_single_dir(pg_data, "pg_xact"); } @@ -385,7 +385,7 @@ check_bin_dir(ClusterInfo *cluster, bool check_versions) */ get_bin_version(cluster); - check_exec(cluster->bindir, "pg_resetwal", check_versions); + check_exec(cluster->bindir, "pg_resetwal", check_versions); if (cluster == &new_cluster) { diff --git a/src/bin/pg_upgrade/multixact_rewrite.c b/src/bin/pg_upgrade/multixact_rewrite.c index c45b3183684..c7a1416494d 100644 --- a/src/bin/pg_upgrade/multixact_rewrite.c +++ b/src/bin/pg_upgrade/multixact_rewrite.c @@ -61,52 +61,52 @@ rewrite_multixacts(MultiXactId from_multi, MultiXactId to_multi) * Convert old multixids, if needed, by reading them one-by-one from the * old cluster. */ - old_reader = AllocOldMultiXactRead(old_cluster.pgdata, - old_cluster.controldata.chkpnt_nxtmulti, - old_cluster.controldata.chkpnt_nxtmxoff); + old_reader = AllocOldMultiXactRead(old_cluster.pgdata, + old_cluster.controldata.chkpnt_nxtmulti, + old_cluster.controldata.chkpnt_nxtmxoff); - for (MultiXactId multi = from_multi; multi != to_multi;) - { - MultiXactMember member; - bool multixid_valid; - - /* - * Read this multixid's members. - * - * Locking-only XIDs that may be part of multi-xids don't matter - * after upgrade, as there can be no transactions running across - * upgrade. So as a small optimization, we only read one member - * from each multixid: the one updating one, or if there was no - * update, arbitrarily the first locking xid. - */ - multixid_valid = GetOldMultiXactIdSingleMember(old_reader, multi, &member); + for (MultiXactId multi = from_multi; multi != to_multi;) + { + MultiXactMember member; + bool multixid_valid; - /* - * Write the new offset to pg_multixact/offsets. - * - * Even if this multixid is invalid, we still need to write its - * offset if the *previous* multixid was valid. That's because - * when reading a multixid, the number of members is calculated - * from the difference between the two offsets. - */ - RecordMultiXactOffset(offsets_writer, multi, - (multixid_valid || prev_multixid_valid) ? next_offset : 0); + /* + * Read this multixid's members. + * + * Locking-only XIDs that may be part of multi-xids don't matter after + * upgrade, as there can be no transactions running across upgrade. So + * as a small optimization, we only read one member from each + * multixid: the one updating one, or if there was no update, + * arbitrarily the first locking xid. + */ + multixid_valid = GetOldMultiXactIdSingleMember(old_reader, multi, &member); - /* Write the members */ - if (multixid_valid) - { - RecordMultiXactMembers(members_writer, next_offset, 1, &member); - next_offset += 1; - } + /* + * Write the new offset to pg_multixact/offsets. + * + * Even if this multixid is invalid, we still need to write its offset + * if the *previous* multixid was valid. That's because when reading + * a multixid, the number of members is calculated from the difference + * between the two offsets. + */ + RecordMultiXactOffset(offsets_writer, multi, + (multixid_valid || prev_multixid_valid) ? next_offset : 0); - /* Advance to next multixid, handling wraparound */ - multi++; - if (multi < FirstMultiXactId) - multi = FirstMultiXactId; - prev_multixid_valid = multixid_valid; + /* Write the members */ + if (multixid_valid) + { + RecordMultiXactMembers(members_writer, next_offset, 1, &member); + next_offset += 1; } - FreeOldMultiXactReader(old_reader); + /* Advance to next multixid, handling wraparound */ + multi++; + if (multi < FirstMultiXactId) + multi = FirstMultiXactId; + prev_multixid_valid = multixid_valid; + } + + FreeOldMultiXactReader(old_reader); /* Write the final 'next' offset to the last SLRU page */ RecordMultiXactOffset(offsets_writer, to_multi, diff --git a/src/bin/pg_upgrade/pg_upgrade.c b/src/bin/pg_upgrade/pg_upgrade.c index e5d7920c1b1..d8e1b680f5a 100644 --- a/src/bin/pg_upgrade/pg_upgrade.c +++ b/src/bin/pg_upgrade/pg_upgrade.c @@ -833,7 +833,7 @@ copy_xact_xlog_xid(void) * Determine the range of multixacts to convert. */ nxtmulti = old_cluster.controldata.chkpnt_nxtmulti; - oldstMulti = old_cluster.controldata.chkpnt_oldstMulti; + oldstMulti = old_cluster.controldata.chkpnt_oldstMulti; /* handle wraparound */ if (nxtmulti < FirstMultiXactId) nxtmulti = FirstMultiXactId; diff --git a/src/bin/pg_upgrade/relfilenumber.c b/src/bin/pg_upgrade/relfilenumber.c index ec2ff7acb21..6c467bdc8a5 100644 --- a/src/bin/pg_upgrade/relfilenumber.c +++ b/src/bin/pg_upgrade/relfilenumber.c @@ -587,32 +587,32 @@ transfer_relfile(FileNameMap *map, const char *type_suffix) /* Copying files might take some time, so give feedback. */ pg_log(PG_STATUS, "%s", old_file); - switch (user_opts.transfer_mode) - { - case TRANSFER_MODE_CLONE: - pg_log(PG_VERBOSE, "cloning \"%s\" to \"%s\"", - old_file, new_file); - cloneFile(old_file, new_file, map->nspname, map->relname); - break; - case TRANSFER_MODE_COPY: - pg_log(PG_VERBOSE, "copying \"%s\" to \"%s\"", - old_file, new_file); - copyFile(old_file, new_file, map->nspname, map->relname); - break; - case TRANSFER_MODE_COPY_FILE_RANGE: - pg_log(PG_VERBOSE, "copying \"%s\" to \"%s\" with copy_file_range", - old_file, new_file); - copyFileByRange(old_file, new_file, map->nspname, map->relname); - break; - case TRANSFER_MODE_LINK: - pg_log(PG_VERBOSE, "linking \"%s\" to \"%s\"", - old_file, new_file); - linkFile(old_file, new_file, map->nspname, map->relname); - break; - case TRANSFER_MODE_SWAP: - /* swap mode is handled in its own code path */ - pg_fatal("should never happen"); - break; - } + switch (user_opts.transfer_mode) + { + case TRANSFER_MODE_CLONE: + pg_log(PG_VERBOSE, "cloning \"%s\" to \"%s\"", + old_file, new_file); + cloneFile(old_file, new_file, map->nspname, map->relname); + break; + case TRANSFER_MODE_COPY: + pg_log(PG_VERBOSE, "copying \"%s\" to \"%s\"", + old_file, new_file); + copyFile(old_file, new_file, map->nspname, map->relname); + break; + case TRANSFER_MODE_COPY_FILE_RANGE: + pg_log(PG_VERBOSE, "copying \"%s\" to \"%s\" with copy_file_range", + old_file, new_file); + copyFileByRange(old_file, new_file, map->nspname, map->relname); + break; + case TRANSFER_MODE_LINK: + pg_log(PG_VERBOSE, "linking \"%s\" to \"%s\"", + old_file, new_file); + linkFile(old_file, new_file, map->nspname, map->relname); + break; + case TRANSFER_MODE_SWAP: + /* swap mode is handled in its own code path */ + pg_fatal("should never happen"); + break; + } } } diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c index c9573d4b765..e5fb3595598 100644 --- a/src/bin/psql/command.c +++ b/src/bin/psql/command.c @@ -6272,23 +6272,22 @@ get_create_object_cmd(EditableObjectType obj_type, Oid oid, * ensure the right view gets replaced. Also, check relation kind * to be sure it's a view. * - * Views may have WITH [LOCAL|CASCADED] - * CHECK OPTION. These are not part of the view definition - * returned by pg_get_viewdef() and so need to be retrieved - * separately. Materialized views may have - * arbitrary storage parameter reloptions. + * Views may have WITH [LOCAL|CASCADED] CHECK OPTION. These are + * not part of the view definition returned by pg_get_viewdef() + * and so need to be retrieved separately. Materialized views may + * have arbitrary storage parameter reloptions. */ printfPQExpBuffer(query, "/* %s */\n", _("Get view's definition and details")); - appendPQExpBuffer(query, - "SELECT nspname, relname, relkind, " - "pg_catalog.pg_get_viewdef(c.oid, true), " - "pg_catalog.array_remove(pg_catalog.array_remove(c.reloptions,'check_option=local'),'check_option=cascaded') AS reloptions, " - "CASE WHEN 'check_option=local' = ANY (c.reloptions) THEN 'LOCAL'::text " - "WHEN 'check_option=cascaded' = ANY (c.reloptions) THEN 'CASCADED'::text ELSE NULL END AS checkoption " - "FROM pg_catalog.pg_class c " - "LEFT JOIN pg_catalog.pg_namespace n " - "ON c.relnamespace = n.oid WHERE c.oid = %u", - oid); + appendPQExpBuffer(query, + "SELECT nspname, relname, relkind, " + "pg_catalog.pg_get_viewdef(c.oid, true), " + "pg_catalog.array_remove(pg_catalog.array_remove(c.reloptions,'check_option=local'),'check_option=cascaded') AS reloptions, " + "CASE WHEN 'check_option=local' = ANY (c.reloptions) THEN 'LOCAL'::text " + "WHEN 'check_option=cascaded' = ANY (c.reloptions) THEN 'CASCADED'::text ELSE NULL END AS checkoption " + "FROM pg_catalog.pg_class c " + "LEFT JOIN pg_catalog.pg_namespace n " + "ON c.relnamespace = n.oid WHERE c.oid = %u", + oid); break; } diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c index 9f26ed928cb..9731c0079c8 100644 --- a/src/bin/psql/describe.c +++ b/src/bin/psql/describe.c @@ -387,19 +387,19 @@ describeFunctions(const char *functypes, const char *func_pattern, gettext_noop("stable"), gettext_noop("volatile"), gettext_noop("Volatility")); - appendPQExpBuffer(&buf, - ",\n CASE\n" - " WHEN p.proparallel = " - CppAsString2(PROPARALLEL_RESTRICTED) " THEN '%s'\n" - " WHEN p.proparallel = " - CppAsString2(PROPARALLEL_SAFE) " THEN '%s'\n" - " WHEN p.proparallel = " - CppAsString2(PROPARALLEL_UNSAFE) " THEN '%s'\n" - " END as \"%s\"", - gettext_noop("restricted"), - gettext_noop("safe"), - gettext_noop("unsafe"), - gettext_noop("Parallel")); + appendPQExpBuffer(&buf, + ",\n CASE\n" + " WHEN p.proparallel = " + CppAsString2(PROPARALLEL_RESTRICTED) " THEN '%s'\n" + " WHEN p.proparallel = " + CppAsString2(PROPARALLEL_SAFE) " THEN '%s'\n" + " WHEN p.proparallel = " + CppAsString2(PROPARALLEL_UNSAFE) " THEN '%s'\n" + " END as \"%s\"", + gettext_noop("restricted"), + gettext_noop("safe"), + gettext_noop("unsafe"), + gettext_noop("Parallel")); appendPQExpBuffer(&buf, ",\n pg_catalog.pg_get_userbyid(p.proowner) as \"%s\"" ",\n CASE WHEN prosecdef THEN '%s' ELSE '%s' END AS \"%s\"" @@ -599,8 +599,8 @@ describeFunctions(const char *functypes, const char *func_pattern, myopt.title = _("List of functions"); myopt.translate_header = true; - myopt.translate_columns = translate_columns; - myopt.n_translate_columns = lengthof(translate_columns); + myopt.translate_columns = translate_columns; + myopt.n_translate_columns = lengthof(translate_columns); printQuery(res, &myopt, pset.queryFout, false, pset.logfile); @@ -1086,38 +1086,38 @@ permissionsList(const char *pattern, bool showSystem) " ), E'\\n') AS \"%s\"", gettext_noop("Column privileges")); - appendPQExpBuffer(&buf, - ",\n pg_catalog.array_to_string(ARRAY(\n" - " SELECT polname\n" - " || CASE WHEN NOT polpermissive THEN\n" - " E' (RESTRICTIVE)'\n" - " ELSE '' END\n" - " || CASE WHEN polcmd != '*' THEN\n" - " E' (' || polcmd::pg_catalog.text || E'):'\n" - " ELSE E':'\n" - " END\n" - " || CASE WHEN polqual IS NOT NULL THEN\n" - " E'\\n (u): ' || pg_catalog.pg_get_expr(polqual, polrelid)\n" - " ELSE E''\n" - " END\n" - " || CASE WHEN polwithcheck IS NOT NULL THEN\n" - " E'\\n (c): ' || pg_catalog.pg_get_expr(polwithcheck, polrelid)\n" - " ELSE E''\n" - " END" - " || CASE WHEN polroles <> '{0}' THEN\n" - " E'\\n to: ' || pg_catalog.array_to_string(\n" - " ARRAY(\n" - " SELECT rolname\n" - " FROM pg_catalog.pg_roles\n" - " WHERE oid = ANY (polroles)\n" - " ORDER BY 1\n" - " ), E', ')\n" - " ELSE E''\n" - " END\n" - " FROM pg_catalog.pg_policy pol\n" - " WHERE polrelid = c.oid), E'\\n')\n" - " AS \"%s\"", - gettext_noop("Policies")); + appendPQExpBuffer(&buf, + ",\n pg_catalog.array_to_string(ARRAY(\n" + " SELECT polname\n" + " || CASE WHEN NOT polpermissive THEN\n" + " E' (RESTRICTIVE)'\n" + " ELSE '' END\n" + " || CASE WHEN polcmd != '*' THEN\n" + " E' (' || polcmd::pg_catalog.text || E'):'\n" + " ELSE E':'\n" + " END\n" + " || CASE WHEN polqual IS NOT NULL THEN\n" + " E'\\n (u): ' || pg_catalog.pg_get_expr(polqual, polrelid)\n" + " ELSE E''\n" + " END\n" + " || CASE WHEN polwithcheck IS NOT NULL THEN\n" + " E'\\n (c): ' || pg_catalog.pg_get_expr(polwithcheck, polrelid)\n" + " ELSE E''\n" + " END" + " || CASE WHEN polroles <> '{0}' THEN\n" + " E'\\n to: ' || pg_catalog.array_to_string(\n" + " ARRAY(\n" + " SELECT rolname\n" + " FROM pg_catalog.pg_roles\n" + " WHERE oid = ANY (polroles)\n" + " ORDER BY 1\n" + " ), E', ')\n" + " ELSE E''\n" + " END\n" + " FROM pg_catalog.pg_policy pol\n" + " WHERE polrelid = c.oid), E'\\n')\n" + " AS \"%s\"", + gettext_noop("Policies")); appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_class c\n" " LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace\n" @@ -1675,27 +1675,27 @@ describeOneTableDetails(const char *schemaname, char *footers[3] = {NULL, NULL, NULL}; printfPQExpBuffer(&buf, "/* %s */\n", _("Get sequence information")); - appendPQExpBuffer(&buf, - "SELECT pg_catalog.format_type(seqtypid, NULL) AS \"%s\",\n" - " seqstart AS \"%s\",\n" - " seqmin AS \"%s\",\n" - " seqmax AS \"%s\",\n" - " seqincrement AS \"%s\",\n" - " CASE WHEN seqcycle THEN '%s' ELSE '%s' END AS \"%s\",\n" - " seqcache AS \"%s\"\n", - gettext_noop("Type"), - gettext_noop("Start"), - gettext_noop("Minimum"), - gettext_noop("Maximum"), - gettext_noop("Increment"), - gettext_noop("yes"), - gettext_noop("no"), - gettext_noop("Cycles?"), - gettext_noop("Cache")); - appendPQExpBuffer(&buf, - "FROM pg_catalog.pg_sequence\n" - "WHERE seqrelid = '%s';", - oid); + appendPQExpBuffer(&buf, + "SELECT pg_catalog.format_type(seqtypid, NULL) AS \"%s\",\n" + " seqstart AS \"%s\",\n" + " seqmin AS \"%s\",\n" + " seqmax AS \"%s\",\n" + " seqincrement AS \"%s\",\n" + " CASE WHEN seqcycle THEN '%s' ELSE '%s' END AS \"%s\",\n" + " seqcache AS \"%s\"\n", + gettext_noop("Type"), + gettext_noop("Start"), + gettext_noop("Minimum"), + gettext_noop("Maximum"), + gettext_noop("Increment"), + gettext_noop("yes"), + gettext_noop("no"), + gettext_noop("Cycles?"), + gettext_noop("Cache")); + appendPQExpBuffer(&buf, + "FROM pg_catalog.pg_sequence\n" + "WHERE seqrelid = '%s';", + oid); res = PSQLexec(buf.data); if (!res) @@ -1913,7 +1913,7 @@ describeOneTableDetails(const char *schemaname, appendPQExpBufferStr(&buf, ",\n (SELECT c.collname FROM pg_catalog.pg_collation c, pg_catalog.pg_type t\n" " WHERE c.oid = a.attcollation AND t.oid = a.atttypid AND a.attcollation <> t.typcollation) AS attcollation"); attcoll_col = cols++; - appendPQExpBufferStr(&buf, ",\n a.attidentity"); + appendPQExpBufferStr(&buf, ",\n a.attidentity"); attidentity_col = cols++; if (pset.sversion >= 120000) appendPQExpBufferStr(&buf, ",\n a.attgenerated"); @@ -2326,7 +2326,7 @@ describeOneTableDetails(const char *schemaname, CppAsString2(CONSTRAINT_EXCLUSION) ") AND " "condeferred) AS condeferred,\n"); - appendPQExpBufferStr(&buf, "i.indisreplident,\n"); + appendPQExpBufferStr(&buf, "i.indisreplident,\n"); if (pset.sversion >= 150000) appendPQExpBufferStr(&buf, "i.indnullsnotdistinct,\n"); @@ -2431,7 +2431,7 @@ describeOneTableDetails(const char *schemaname, "pg_catalog.pg_get_indexdef(i.indexrelid, 0, true),\n " "pg_catalog.pg_get_constraintdef(con.oid, true), " "contype, condeferrable, condeferred"); - appendPQExpBufferStr(&buf, ", i.indisreplident"); + appendPQExpBufferStr(&buf, ", i.indisreplident"); appendPQExpBufferStr(&buf, ", c2.reltablespace"); if (pset.sversion >= 180000) appendPQExpBufferStr(&buf, ", con.conperiod"); @@ -2682,81 +2682,80 @@ describeOneTableDetails(const char *schemaname, PQclear(result); /* print any row-level policies */ - printfPQExpBuffer(&buf, "/* %s */\n", - _("Get row-level policies for this table")); - appendPQExpBufferStr(&buf, "SELECT pol.polname,"); - appendPQExpBufferStr(&buf, - " pol.polpermissive,\n"); - appendPQExpBuffer(&buf, - " CASE WHEN pol.polroles = '{0}' THEN NULL ELSE pg_catalog.array_to_string(array(select rolname from pg_catalog.pg_roles where oid = any (pol.polroles) order by 1),',') END,\n" - " pg_catalog.pg_get_expr(pol.polqual, pol.polrelid),\n" - " pg_catalog.pg_get_expr(pol.polwithcheck, pol.polrelid),\n" - " CASE pol.polcmd\n" - " WHEN 'r' THEN 'SELECT'\n" - " WHEN 'a' THEN 'INSERT'\n" - " WHEN 'w' THEN 'UPDATE'\n" - " WHEN 'd' THEN 'DELETE'\n" - " END AS cmd\n" - "FROM pg_catalog.pg_policy pol\n" - "WHERE pol.polrelid = '%s' ORDER BY 1;", - oid); + printfPQExpBuffer(&buf, "/* %s */\n", + _("Get row-level policies for this table")); + appendPQExpBufferStr(&buf, "SELECT pol.polname,"); + appendPQExpBufferStr(&buf, + " pol.polpermissive,\n"); + appendPQExpBuffer(&buf, + " CASE WHEN pol.polroles = '{0}' THEN NULL ELSE pg_catalog.array_to_string(array(select rolname from pg_catalog.pg_roles where oid = any (pol.polroles) order by 1),',') END,\n" + " pg_catalog.pg_get_expr(pol.polqual, pol.polrelid),\n" + " pg_catalog.pg_get_expr(pol.polwithcheck, pol.polrelid),\n" + " CASE pol.polcmd\n" + " WHEN 'r' THEN 'SELECT'\n" + " WHEN 'a' THEN 'INSERT'\n" + " WHEN 'w' THEN 'UPDATE'\n" + " WHEN 'd' THEN 'DELETE'\n" + " END AS cmd\n" + "FROM pg_catalog.pg_policy pol\n" + "WHERE pol.polrelid = '%s' ORDER BY 1;", + oid); - result = PSQLexec(buf.data); - if (!result) - goto error_return; - else - tuples = PQntuples(result); + result = PSQLexec(buf.data); + if (!result) + goto error_return; + else + tuples = PQntuples(result); - /* - * Handle cases where RLS is enabled and there are policies, or - * there aren't policies, or RLS isn't enabled but there are - * policies - */ - if (tableinfo.rowsecurity && !tableinfo.forcerowsecurity && tuples > 0) - printTableAddFooter(&cont, _("Policies:")); + /* + * Handle cases where RLS is enabled and there are policies, or there + * aren't policies, or RLS isn't enabled but there are policies + */ + if (tableinfo.rowsecurity && !tableinfo.forcerowsecurity && tuples > 0) + printTableAddFooter(&cont, _("Policies:")); - if (tableinfo.rowsecurity && tableinfo.forcerowsecurity && tuples > 0) - printTableAddFooter(&cont, _("Policies (forced row security enabled):")); + if (tableinfo.rowsecurity && tableinfo.forcerowsecurity && tuples > 0) + printTableAddFooter(&cont, _("Policies (forced row security enabled):")); - if (tableinfo.rowsecurity && !tableinfo.forcerowsecurity && tuples == 0) - printTableAddFooter(&cont, _("Policies (row security enabled): (none)")); + if (tableinfo.rowsecurity && !tableinfo.forcerowsecurity && tuples == 0) + printTableAddFooter(&cont, _("Policies (row security enabled): (none)")); - if (tableinfo.rowsecurity && tableinfo.forcerowsecurity && tuples == 0) - printTableAddFooter(&cont, _("Policies (forced row security enabled): (none)")); + if (tableinfo.rowsecurity && tableinfo.forcerowsecurity && tuples == 0) + printTableAddFooter(&cont, _("Policies (forced row security enabled): (none)")); - if (!tableinfo.rowsecurity && tuples > 0) - printTableAddFooter(&cont, _("Policies (row security disabled):")); + if (!tableinfo.rowsecurity && tuples > 0) + printTableAddFooter(&cont, _("Policies (row security disabled):")); - /* Might be an empty set - that's ok */ - for (i = 0; i < tuples; i++) - { - printfPQExpBuffer(&buf, " POLICY \"%s\"", - PQgetvalue(result, i, 0)); + /* Might be an empty set - that's ok */ + for (i = 0; i < tuples; i++) + { + printfPQExpBuffer(&buf, " POLICY \"%s\"", + PQgetvalue(result, i, 0)); - if (*(PQgetvalue(result, i, 1)) == 'f') - appendPQExpBufferStr(&buf, " AS RESTRICTIVE"); + if (*(PQgetvalue(result, i, 1)) == 'f') + appendPQExpBufferStr(&buf, " AS RESTRICTIVE"); - if (!PQgetisnull(result, i, 5)) - appendPQExpBuffer(&buf, " FOR %s", - PQgetvalue(result, i, 5)); + if (!PQgetisnull(result, i, 5)) + appendPQExpBuffer(&buf, " FOR %s", + PQgetvalue(result, i, 5)); - if (!PQgetisnull(result, i, 2)) - { - appendPQExpBuffer(&buf, "\n TO %s", - PQgetvalue(result, i, 2)); - } + if (!PQgetisnull(result, i, 2)) + { + appendPQExpBuffer(&buf, "\n TO %s", + PQgetvalue(result, i, 2)); + } - if (!PQgetisnull(result, i, 3)) - appendPQExpBuffer(&buf, "\n USING (%s)", - PQgetvalue(result, i, 3)); + if (!PQgetisnull(result, i, 3)) + appendPQExpBuffer(&buf, "\n USING (%s)", + PQgetvalue(result, i, 3)); - if (!PQgetisnull(result, i, 4)) - appendPQExpBuffer(&buf, "\n WITH CHECK (%s)", - PQgetvalue(result, i, 4)); + if (!PQgetisnull(result, i, 4)) + appendPQExpBuffer(&buf, "\n WITH CHECK (%s)", + PQgetvalue(result, i, 4)); - printTableAddFooter(&cont, buf.data); - } - PQclear(result); + printTableAddFooter(&cont, buf.data); + } + PQclear(result); /* print any extended statistics */ if (pset.sversion >= 140000) @@ -3025,115 +3024,115 @@ describeOneTableDetails(const char *schemaname, } /* print any publications */ - printfPQExpBuffer(&buf, "/* %s */\n", - _("Get publications that publish this table")); - if (pset.sversion >= 150000) + printfPQExpBuffer(&buf, "/* %s */\n", + _("Get publications that publish this table")); + if (pset.sversion >= 150000) + { + appendPQExpBuffer(&buf, + "SELECT pubname\n" + " , NULL\n" + " , NULL\n" + "FROM pg_catalog.pg_publication p\n" + " JOIN pg_catalog.pg_publication_namespace pn ON p.oid = pn.pnpubid\n" + " JOIN pg_catalog.pg_class pc ON pc.relnamespace = pn.pnnspid\n" + "WHERE pc.oid ='%s' and pg_catalog.pg_relation_is_publishable('%s')\n" + "UNION\n" + "SELECT pubname\n" + " , pg_get_expr(pr.prqual, c.oid)\n" + " , (CASE WHEN pr.prattrs IS NOT NULL THEN\n" + " (SELECT string_agg(attname, ', ')\n" + " FROM pg_catalog.generate_series(0, pg_catalog.array_upper(pr.prattrs::pg_catalog.int2[], 1)) s,\n" + " pg_catalog.pg_attribute\n" + " WHERE attrelid = pr.prrelid AND attnum = prattrs[s])\n" + " ELSE NULL END) " + "FROM pg_catalog.pg_publication p\n" + " JOIN pg_catalog.pg_publication_rel pr ON p.oid = pr.prpubid\n" + " JOIN pg_catalog.pg_class c ON c.oid = pr.prrelid\n" + "WHERE pr.prrelid = '%s'\n", + oid, oid, oid); + + if (pset.sversion >= 190000) { + /* + * Skip entries where this relation appears in the + * publication's EXCEPT list. + */ appendPQExpBuffer(&buf, + " AND NOT pr.prexcept\n" + "UNION\n" "SELECT pubname\n" " , NULL\n" " , NULL\n" "FROM pg_catalog.pg_publication p\n" - " JOIN pg_catalog.pg_publication_namespace pn ON p.oid = pn.pnpubid\n" - " JOIN pg_catalog.pg_class pc ON pc.relnamespace = pn.pnnspid\n" - "WHERE pc.oid ='%s' and pg_catalog.pg_relation_is_publishable('%s')\n" - "UNION\n" - "SELECT pubname\n" - " , pg_get_expr(pr.prqual, c.oid)\n" - " , (CASE WHEN pr.prattrs IS NOT NULL THEN\n" - " (SELECT string_agg(attname, ', ')\n" - " FROM pg_catalog.generate_series(0, pg_catalog.array_upper(pr.prattrs::pg_catalog.int2[], 1)) s,\n" - " pg_catalog.pg_attribute\n" - " WHERE attrelid = pr.prrelid AND attnum = prattrs[s])\n" - " ELSE NULL END) " - "FROM pg_catalog.pg_publication p\n" - " JOIN pg_catalog.pg_publication_rel pr ON p.oid = pr.prpubid\n" - " JOIN pg_catalog.pg_class c ON c.oid = pr.prrelid\n" - "WHERE pr.prrelid = '%s'\n", + "WHERE p.puballtables AND pg_catalog.pg_relation_is_publishable('%s')\n" + " AND NOT EXISTS (\n" + " SELECT 1\n" + " FROM pg_catalog.pg_publication_rel pr\n" + " WHERE pr.prpubid = p.oid AND\n" + " (pr.prrelid = '%s' OR pr.prrelid = pg_catalog.pg_partition_root('%s')))\n" + "ORDER BY 1;", oid, oid, oid); - - if (pset.sversion >= 190000) - { - /* - * Skip entries where this relation appears in the - * publication's EXCEPT list. - */ - appendPQExpBuffer(&buf, - " AND NOT pr.prexcept\n" - "UNION\n" - "SELECT pubname\n" - " , NULL\n" - " , NULL\n" - "FROM pg_catalog.pg_publication p\n" - "WHERE p.puballtables AND pg_catalog.pg_relation_is_publishable('%s')\n" - " AND NOT EXISTS (\n" - " SELECT 1\n" - " FROM pg_catalog.pg_publication_rel pr\n" - " WHERE pr.prpubid = p.oid AND\n" - " (pr.prrelid = '%s' OR pr.prrelid = pg_catalog.pg_partition_root('%s')))\n" - "ORDER BY 1;", - oid, oid, oid); - } - else - { - appendPQExpBuffer(&buf, - "UNION\n" - "SELECT pubname\n" - " , NULL\n" - " , NULL\n" - "FROM pg_catalog.pg_publication p\n" - "WHERE p.puballtables AND pg_catalog.pg_relation_is_publishable('%s')\n" - "ORDER BY 1;", - oid); - } } else { appendPQExpBuffer(&buf, + "UNION\n" "SELECT pubname\n" - " , NULL\n" - " , NULL\n" - "FROM pg_catalog.pg_publication p\n" - "JOIN pg_catalog.pg_publication_rel pr ON p.oid = pr.prpubid\n" - "WHERE pr.prrelid = '%s'\n" - "UNION ALL\n" - "SELECT pubname\n" - " , NULL\n" - " , NULL\n" + " , NULL\n" + " , NULL\n" "FROM pg_catalog.pg_publication p\n" "WHERE p.puballtables AND pg_catalog.pg_relation_is_publishable('%s')\n" "ORDER BY 1;", - oid, oid); + oid); } + } + else + { + appendPQExpBuffer(&buf, + "SELECT pubname\n" + " , NULL\n" + " , NULL\n" + "FROM pg_catalog.pg_publication p\n" + "JOIN pg_catalog.pg_publication_rel pr ON p.oid = pr.prpubid\n" + "WHERE pr.prrelid = '%s'\n" + "UNION ALL\n" + "SELECT pubname\n" + " , NULL\n" + " , NULL\n" + "FROM pg_catalog.pg_publication p\n" + "WHERE p.puballtables AND pg_catalog.pg_relation_is_publishable('%s')\n" + "ORDER BY 1;", + oid, oid); + } - result = PSQLexec(buf.data); - if (!result) - goto error_return; - else - tuples = PQntuples(result); + result = PSQLexec(buf.data); + if (!result) + goto error_return; + else + tuples = PQntuples(result); - if (tuples > 0) - printTableAddFooter(&cont, _("Included in publications:")); + if (tuples > 0) + printTableAddFooter(&cont, _("Included in publications:")); - /* Might be an empty set - that's ok */ - for (i = 0; i < tuples; i++) - { - printfPQExpBuffer(&buf, " \"%s\"", - PQgetvalue(result, i, 0)); + /* Might be an empty set - that's ok */ + for (i = 0; i < tuples; i++) + { + printfPQExpBuffer(&buf, " \"%s\"", + PQgetvalue(result, i, 0)); - /* column list (if any) */ - if (!PQgetisnull(result, i, 2)) - appendPQExpBuffer(&buf, " (%s)", - PQgetvalue(result, i, 2)); + /* column list (if any) */ + if (!PQgetisnull(result, i, 2)) + appendPQExpBuffer(&buf, " (%s)", + PQgetvalue(result, i, 2)); - /* row filter (if any) */ - if (!PQgetisnull(result, i, 1)) - appendPQExpBuffer(&buf, " WHERE %s", - PQgetvalue(result, i, 1)); + /* row filter (if any) */ + if (!PQgetisnull(result, i, 1)) + appendPQExpBuffer(&buf, " WHERE %s", + PQgetvalue(result, i, 1)); - printTableAddFooter(&cont, buf.data); - } - PQclear(result); + printTableAddFooter(&cont, buf.data); + } + PQclear(result); /* Print publications where the table is in the EXCEPT clause */ if (pset.sversion >= 190000) @@ -3805,7 +3804,7 @@ describeRoles(const char *pattern, bool verbose, bool showSystem) ncols++; } appendPQExpBufferStr(&buf, "\n, r.rolreplication"); - appendPQExpBufferStr(&buf, "\n, r.rolbypassrls"); + appendPQExpBufferStr(&buf, "\n, r.rolbypassrls"); appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n"); @@ -3860,8 +3859,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem) if (strcmp(PQgetvalue(res, i, (verbose ? 9 : 8)), "t") == 0) add_role_attribute(&buf, _("Replication")); - if (strcmp(PQgetvalue(res, i, (verbose ? 10 : 9)), "t") == 0) - add_role_attribute(&buf, _("Bypass RLS")); + if (strcmp(PQgetvalue(res, i, (verbose ? 10 : 9)), "t") == 0) + add_role_attribute(&buf, _("Bypass RLS")); conns = atoi(PQgetvalue(res, i, 6)); if (conns >= 0) @@ -5155,14 +5154,14 @@ listCollations(const char *pattern, bool verbose, bool showSystem) gettext_noop("Schema"), gettext_noop("Name")); - appendPQExpBuffer(&buf, - " CASE c.collprovider " - "WHEN " CppAsString2(COLLPROVIDER_DEFAULT) " THEN 'default' " - "WHEN " CppAsString2(COLLPROVIDER_BUILTIN) " THEN 'builtin' " - "WHEN " CppAsString2(COLLPROVIDER_LIBC) " THEN 'libc' " - "WHEN " CppAsString2(COLLPROVIDER_ICU) " THEN 'icu' " - "END AS \"%s\",\n", - gettext_noop("Provider")); + appendPQExpBuffer(&buf, + " CASE c.collprovider " + "WHEN " CppAsString2(COLLPROVIDER_DEFAULT) " THEN 'default' " + "WHEN " CppAsString2(COLLPROVIDER_BUILTIN) " THEN 'builtin' " + "WHEN " CppAsString2(COLLPROVIDER_LIBC) " THEN 'libc' " + "WHEN " CppAsString2(COLLPROVIDER_ICU) " THEN 'icu' " + "END AS \"%s\",\n", + gettext_noop("Provider")); appendPQExpBuffer(&buf, " c.collcollate AS \"%s\",\n" -- 2.50.1 (Apple Git-155) --6vzYk1swa63ey9i6-- ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-06-16 11:54 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-06-16 11:54 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 9407c357f27..fa5a53d04ff 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 9ab74c8df0a..2af586669ae 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -689,6 +689,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1376,22 +1378,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1408,9 +1404,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1495,9 +1489,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1524,7 +1516,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1537,8 +1529,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -3926,27 +3918,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4034,11 +4018,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 2debadd86ed..28b34fd4387 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -503,13 +503,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -528,15 +526,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -546,7 +538,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -670,11 +662,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1207,7 +1196,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index 38f9ffcd04f..c0f6217caa6 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23245,9 +23245,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23379,18 +23377,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23427,11 +23416,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index a4abb29cf64..8922d713916 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index b4d5abbaca7..90234c3f736 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1325,6 +1325,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v01-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
* [PATCH 5/8] Simplify the way restrictions are imposed on index functions. @ 2026-07-15 08:37 Antonin Houska <[email protected]> 0 siblings, 0 replies; 94+ messages in thread From: Antonin Houska @ 2026-07-15 08:37 UTC (permalink / raw) Whenever we expect possible execution of index functions, we need to make sure that they execute with the appropriate privileges. Also, the core should not see (and use) values of GUC parameters introduced by the index functions. This patch introduces functions enable_index_build_security() and disable_index_build_security() which make the security measures less verbose. It's needed for the upcoming enhancements of REPACK (CONCURRENTLY), but looks like useful refactoring anyway. --- src/backend/access/brin/brin.c | 32 ++++---------- src/backend/catalog/index.c | 72 ++++++++++++++++++-------------- src/backend/commands/analyze.c | 21 +++------- src/backend/commands/indexcmds.c | 49 +++++++--------------- src/backend/commands/repack.c | 24 +++-------- src/backend/commands/tablecmds.c | 24 +++-------- src/backend/commands/vacuum.c | 23 +++------- src/include/catalog/index.h | 10 +++++ src/tools/pgindent/typedefs.list | 1 + 9 files changed, 95 insertions(+), 161 deletions(-) diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c index bdb30752e09..2359bffa518 100644 --- a/src/backend/access/brin/brin.c +++ b/src/backend/access/brin/brin.c @@ -1391,10 +1391,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) Oid heapoid; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; double numSummarized = 0; + IndexBuildSecurity ibsec; if (RecoveryInProgress()) ereport(ERROR, @@ -1420,27 +1418,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) heapRel = table_open(heapoid, ShareUpdateExclusiveLock); /* - * Autovacuum calls us. For its benefit, switch to the table owner's - * userid, so that any index functions are run as that user. Also - * lock down security-restricted operations and arrange to make GUC - * variable changes local to this command. This is harmless, albeit - * unnecessary, when called from SQL, because we fail shortly if the - * user does not own the index. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); } else - { heapRel = NULL; - /* Set these just to suppress "uninitialized variable" warnings */ - save_userid = InvalidOid; - save_sec_context = -1; - save_nestlevel = -1; - } indexRel = index_open(indexoid, ShareUpdateExclusiveLock); @@ -1453,7 +1436,8 @@ brin_summarize_range(PG_FUNCTION_ARGS) RelationGetRelationName(indexRel)))); /* User must own the index (comparable to privileges needed for VACUUM) */ - if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, save_userid)) + if (heapRel != NULL && !object_ownercheck(RelationRelationId, indexoid, + ibsec.userid)) aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, RelationGetRelationName(indexRel)); @@ -1477,11 +1461,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) errmsg("index \"%s\" is not valid", RelationGetRelationName(indexRel)))); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); index_close(indexRel, ShareUpdateExclusiveLock); table_close(heapRel, ShareUpdateExclusiveLock); diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c index 81bba4beac7..8eabe232d1e 100644 --- a/src/backend/catalog/index.c +++ b/src/backend/catalog/index.c @@ -1504,11 +1504,9 @@ index_concurrently_build(Oid heapRelationId, Oid indexRelationId) { Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation indexRelation; IndexInfo *indexInfo; + IndexBuildSecurity ibsec; /* This had better make sure that a snapshot is active */ Assert(ActiveSnapshotSet()); @@ -1517,15 +1515,9 @@ index_concurrently_build(Oid heapRelationId, heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); indexRelation = index_open(indexRelationId, RowExclusiveLock); @@ -1542,11 +1534,8 @@ index_concurrently_build(Oid heapRelationId, /* Now build the index */ index_build(heapRel, indexRelation, indexInfo, false, true, true); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close both the relations, but keep the locks */ table_close(heapRel, NoLock); @@ -3375,9 +3364,7 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) IndexInfo *indexInfo; IndexVacuumInfo ivinfo; ValidateIndexState state; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; { const int progress_index[] = { @@ -3399,15 +3386,9 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) heapRelation = table_open(heapId, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRelation->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRelation->rd_rel->relowner, &ibsec); indexRelation = index_open(indexId, RowExclusiveLock); @@ -3486,11 +3467,8 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) "validate_index found %.0f heap tuples, %.0f index tuples; inserted %.0f missing tuples", state.htups, state.itups, state.tups_inserted); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Close rels, but keep locks */ index_close(indexRelation, NoLock); @@ -4115,6 +4093,36 @@ reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, return result; } +/* + * Before building an index, witch to the table owner's userid, so that any + * index functions are run as that user. Also lock down security-restricted + * operations and arrange to make GUC variable changes local to this command. + * + * Information needed later by disable_index_build_security() is stored in + * *sec. + */ +void +enable_index_build_security(Oid userid, IndexBuildSecurity *sec) +{ + GetUserIdAndSecContext(&sec->userid, &sec->sec_context); + SetUserIdAndSecContext(userid, + sec->sec_context | SECURITY_RESTRICTED_OPERATION); + sec->nestlevel = NewGUCNestLevel(); + RestrictSearchPath(); +} + +/* + * Undo what enable_index_build_security() did. + */ +void +disable_index_build_security(IndexBuildSecurity *sec) +{ + /* Roll back any GUC changes executed by index functions */ + AtEOXact_GUC(false, sec->nestlevel); + + /* Restore userid and security context */ + SetUserIdAndSecContext(sec->userid, sec->sec_context); +} /* ---------------------------------------------------------------- * System index reindexing support diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c index f66e80b757c..dc2ad77ef9a 100644 --- a/src/backend/commands/analyze.c +++ b/src/backend/commands/analyze.c @@ -328,14 +328,12 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, PGRUsage ru0; TimestampTz starttime = 0; MemoryContext caller_context; - Oid save_userid; - int save_sec_context; - int save_nestlevel; WalUsage startwalusage = pgWalUsage; BufferUsage startbufferusage = pgBufferUsage; BufferUsage bufferusage; PgStat_Counter startreadtime = 0; PgStat_Counter startwritetime = 0; + IndexBuildSecurity ibsec; verbose = (params->options & VACOPT_VERBOSE) != 0; instrument = (verbose || (AmAutoVacuumWorkerProcess() && @@ -361,15 +359,9 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, caller_context = MemoryContextSwitchTo(anl_context); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(onerel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(onerel->rd_rel->relowner, &ibsec); /* * When verbose or autovacuum logging is used, initialize a resource usage @@ -858,11 +850,8 @@ do_analyze_rel(Relation onerel, const VacuumParams *params, } } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* Restore current context and release memory */ MemoryContextSwitchTo(caller_context); diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c index 713bb5d10f1..5bc28c94139 100644 --- a/src/backend/commands/indexcmds.c +++ b/src/backend/commands/indexcmds.c @@ -699,6 +699,8 @@ DefineIndex(ParseState *pstate, * Switch to the table owner's userid, so that any index functions are run * as that user. Also lock down security-restricted operations. We * already arranged to make GUC variable changes local to this command. + * + * XXX Use enable_index_build_security()? */ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); SetUserIdAndSecContext(rel->rd_rel->relowner, @@ -1386,22 +1388,16 @@ DefineIndex(ParseState *pstate, { Oid childRelid = part_oids[i]; Relation childrel; - Oid child_save_userid; - int child_save_sec_context; - int child_save_nestlevel; List *childidxs; ListCell *cell; AttrMap *attmap; bool found = false; + IndexBuildSecurity child_ibsec; childrel = table_open(childRelid, lockmode); - GetUserIdAndSecContext(&child_save_userid, - &child_save_sec_context); - SetUserIdAndSecContext(childrel->rd_rel->relowner, - child_save_sec_context | SECURITY_RESTRICTED_OPERATION); - child_save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(childrel->rd_rel->relowner, + &child_ibsec); /* * Don't try to create indexes on foreign tables, though. Skip @@ -1418,9 +1414,7 @@ DefineIndex(ParseState *pstate, errdetail("Table \"%s\" contains partitions that are foreign tables.", RelationGetRelationName(rel)))); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, lockmode); continue; } @@ -1505,9 +1499,7 @@ DefineIndex(ParseState *pstate, } list_free(childidxs); - AtEOXact_GUC(false, child_save_nestlevel); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + disable_index_build_security(&child_ibsec); table_close(childrel, NoLock); /* @@ -1534,7 +1526,7 @@ DefineIndex(ParseState *pstate, * Recurse as the starting user ID. Callee will use that * for permission checks, then switch again. */ - Assert(GetUserId() == child_save_userid); + Assert(GetUserId() == child_ibsec.userid); SetUserIdAndSecContext(root_save_userid, root_save_sec_context); childAddr = @@ -1547,8 +1539,8 @@ DefineIndex(ParseState *pstate, is_alter_table, check_rights, check_not_in_use, skip_build, quiet); - SetUserIdAndSecContext(child_save_userid, - child_save_sec_context); + SetUserIdAndSecContext(child_ibsec.userid, + child_ibsec.sec_context); /* * Check if the index just created is valid or not, as it @@ -4051,27 +4043,19 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein Oid newIndexId; Relation indexRel; Relation heapRel; - Oid save_userid; - int save_sec_context; - int save_nestlevel; Relation newIndexRel; LockRelId *lockrelid; Oid tablespaceid; + IndexBuildSecurity ibsec; indexRel = index_open(idx->indexId, ShareUpdateExclusiveLock); heapRel = table_open(indexRel->rd_index->indrelid, ShareUpdateExclusiveLock); /* - * Switch to the table owner's userid, so that any index functions are - * run as that user. Also lock down security-restricted operations - * and arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(heapRel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(heapRel->rd_rel->relowner, &ibsec); /* determine safety of this index for set_indexsafe_procflags */ idx->safe = (RelationGetIndexExpressions(indexRel) == NIL && @@ -4159,11 +4143,8 @@ ReindexRelationConcurrently(const ReindexStmt *stmt, Oid relationOid, const Rein index_close(indexRel, NoLock); index_close(newIndexRel, NoLock); - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); table_close(heapRel, NoLock); diff --git a/src/backend/commands/repack.c b/src/backend/commands/repack.c index 0bf19d07db5..1ad453a39a0 100644 --- a/src/backend/commands/repack.c +++ b/src/backend/commands/repack.c @@ -514,13 +514,11 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, Oid tableOid = RelationGetRelid(OldHeap); Relation index; LOCKMODE lmode; - Oid save_userid; - int save_sec_context; - int save_nestlevel; bool verbose = ((params->options & CLUOPT_VERBOSE) != 0); bool recheck = ((params->options & CLUOPT_RECHECK) != 0); bool concurrent = ((params->options & CLUOPT_CONCURRENT) != 0); Oid ident_idx = InvalidOid; + IndexBuildSecurity ibsec; /* Determine the lock mode to use. */ lmode = RepackLockLevel(concurrent); @@ -539,15 +537,9 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, pgstat_progress_update_param(PROGRESS_REPACK_COMMAND, cmd); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(OldHeap->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(OldHeap->rd_rel->relowner, &ibsec); /* * Recheck that the relation is still what it was when we started. @@ -557,7 +549,7 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, * not-previously-clustered index. */ if (recheck && - !cluster_rel_recheck(cmd, OldHeap, indexOid, save_userid, + !cluster_rel_recheck(cmd, OldHeap, indexOid, GetUserId(), lmode, params->options)) goto out; @@ -681,11 +673,8 @@ cluster_rel(RepackCommand cmd, Relation OldHeap, Oid indexOid, rebuild_relation(OldHeap, index, verbose, ident_idx); out: - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); pgstat_progress_end_command(); } @@ -1234,7 +1223,6 @@ rebuild_relation(Relation OldHeap, Relation index, bool verbose, } } - /* * Create the transient table that will be filled with new data during * CLUSTER, ALTER TABLE, and similar operations. The transient table diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c index cb93c3e935a..d691b317011 100644 --- a/src/backend/commands/tablecmds.c +++ b/src/backend/commands/tablecmds.c @@ -23762,9 +23762,7 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, Oid defaultPartOid; Oid existingRelid; Oid ownerId = InvalidOid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; + IndexBuildSecurity ibsec; /* * Check ownership of merged partitions - partitions with different owners @@ -23896,18 +23894,9 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, newPartRel = createPartitionTable(wqueue, cmd->name, rel, ownerId); /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also, lockdown security-restricted operations and - * arrange to make GUC variable changes local to this command. - * - * Need to do it after determining the namespace in the - * createPartitionTable() call. + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(ownerId, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(ownerId, &ibsec); /* Copy data from merged partitions to the new partition. */ MergePartitionsMoveRows(wqueue, mergingPartitions, newPartRel); @@ -23944,11 +23933,8 @@ ATExecMergePartitions(List **wqueue, AlteredTableInfo *tab, Relation rel, /* Keep the lock until commit. */ table_close(newPartRel, NoLock); - /* Roll back any GUC changes executed by index functions. */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore the userid and security context. */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); } /* diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c index 38539a6fd3d..5d1cbc382fa 100644 --- a/src/backend/commands/vacuum.c +++ b/src/backend/commands/vacuum.c @@ -34,6 +34,7 @@ #include "access/tableam.h" #include "access/transam.h" #include "access/xact.h" +#include "catalog/index.h" #include "catalog/namespace.h" #include "catalog/pg_database.h" #include "catalog/pg_inherits.h" @@ -2017,10 +2018,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, LockRelId lockrelid; Oid priv_relid; Oid toast_relid; - Oid save_userid; - int save_sec_context; - int save_nestlevel; VacuumParams toast_vacuum_params; + IndexBuildSecurity ibsec; /* * This function scribbles on the parameters, so make a copy early to @@ -2270,16 +2269,9 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, toast_relid = InvalidOid; /* - * Switch to the table owner's userid, so that any index functions are run - * as that user. Also lock down security-restricted operations and - * arrange to make GUC variable changes local to this command. (This is - * unnecessary, but harmless, for lazy VACUUM.) + * Prevent index functions from doing what they are not supposed to. */ - GetUserIdAndSecContext(&save_userid, &save_sec_context); - SetUserIdAndSecContext(rel->rd_rel->relowner, - save_sec_context | SECURITY_RESTRICTED_OPERATION); - save_nestlevel = NewGUCNestLevel(); - RestrictSearchPath(); + enable_index_build_security(rel->rd_rel->relowner, &ibsec); /* * If PROCESS_MAIN is set (the default), it's time to vacuum the main @@ -2310,11 +2302,8 @@ vacuum_rel(Oid relid, RangeVar *relation, VacuumParams params, table_relation_vacuum(rel, ¶ms, bstrategy); } - /* Roll back any GUC changes executed by index functions */ - AtEOXact_GUC(false, save_nestlevel); - - /* Restore userid and security context */ - SetUserIdAndSecContext(save_userid, save_sec_context); + /* Relax the restrictions imposed above. */ + disable_index_build_security(&ibsec); /* all done with this class, but hold lock until commit */ if (rel) diff --git a/src/include/catalog/index.h b/src/include/catalog/index.h index 9aee8226347..dd9ae8119e5 100644 --- a/src/include/catalog/index.h +++ b/src/include/catalog/index.h @@ -172,6 +172,16 @@ extern void reindex_index(const ReindexStmt *stmt, Oid indexId, extern bool reindex_relation(const ReindexStmt *stmt, Oid relid, int flags, const ReindexParams *params); +typedef struct IndexBuildSecurity +{ + Oid userid; + int sec_context; + int nestlevel; +} IndexBuildSecurity; + +extern void enable_index_build_security(Oid userid, IndexBuildSecurity *sec); +extern void disable_index_build_security(IndexBuildSecurity *sec); + extern bool ReindexIsProcessingHeap(Oid heapOid); extern bool ReindexIsProcessingIndex(Oid indexOid); diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list index 25ac7079099..0ec534d15d7 100644 --- a/src/tools/pgindent/typedefs.list +++ b/src/tools/pgindent/typedefs.list @@ -1327,6 +1327,7 @@ IndexAttachInfo IndexAttrBitmapKind IndexBuildCallback IndexBuildResult +IndexBuildSecurity IndexBulkDeleteCallback IndexBulkDeleteResult IndexClause -- 2.52.0 --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=v02-0006-Use-separate-transactions-for-catalog-changes.patch ^ permalink raw reply [nested|flat] 94+ messages in thread
end of thread, other threads:[~2026-07-15 08:37 UTC | newest] Thread overview: 94+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-05-06 21:43 [PATCH v3 4/4] run pgindent Nathan Bossart <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-06-16 11:54 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]> 2026-07-15 08:37 [PATCH 5/8] Simplify the way restrictions are imposed on index functions. Antonin Houska <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox